No contact with DHCP server when using VPN Client

Unanswered Question

Pretty weird problem I discovered recently.

We use the VPN Client to connect to a 1841 router. Everything works fine except for one small thing.

The client do not send out _any_ traffic if the destination is the ip-address of the DHCP-server the client got its original ip-address from.

This is verified by Wireshark. A ping on the client do not produce any ESP packets towards the VPN concentrator. No matter what traffic you try actually.

Discovered this when wanting to use Remote Desktop towards the Windows Server that is the local DHCP server and was not able to connect. Then tested ping and still no response. That made me look closer and found out that I could not communicate at all with the DHCP server.

As I said, pretty weird.

Anyone else have seen this? Anyone have a solution? Right now I use OpenVPN instead when I need to control that server.

- Roger

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m-ketchum Sat, 11/03/2007 - 21:32
User Badges:

I'm assuming that the DHCP server subnet is being included in any split-tunnel ACL's that may be configured? Is your VPN client able to communicate with other hosts on the same subnet as the DHCP server?

Hi and thanks for responding.

Nothing here apart from being unable to send any packets to the dhcp-server. No problem sending to any other system on the same subnet. The same happens when I connect my pc to another subnet that is served by another dhcp-server. Then I can not connect to _that_ dhcp-server. I can then of course connect to the previous dhcp-server.

I mean _no_ packets are generated out the client at all if the destination are your dhcp-server. No problem with the packet being blocked by a firewall or anything like that. Ping another system on the same subnet as the dhcp-server and the client happily generates ESP packets and sends them to the vpn-concentrator.

I do not know if it was clear enough in the first post so I am saying it here: the vpn-concentrator gives out the ip for the vpn connection. The dhcp-server I can not connect to is the server that gives the client its ip-address _before_ starting up the vpn client.

We use this vpn system so the IT personell will be able to connect to restricted resources from their laptops anywhere in the network, also when using wireless.

This was discovered when one admin wanted to connect from his laptop to a server that also happened to be the dhcp-server that had given his laptop his ip address before he used vpn.

Should be easy enough for anyone else to test. Just ping your dhcp-server after starting the vpn connection. No RFC 1918 addresses of course, there must be a route from your vpn-concentrator to your dhcp-server and at least icmp echo must be open through any firewall/acl.

The vpn version is on Windows XP configured to not allow local LAN access. I might test this with other versions/OS'es when I have the time.


- Roger

Forgot to mention a test I did:

- Connected to the network

- Recorded the ip configuration recieved from dhcp server

- Set up tcp/ip statically with same settings

- Connected to vpn

- Pinged dhcp-server, _worked_!

So the only difference in ip configuration is that there is no dhcp-server registered.

- Roger

m-ketchum Sun, 11/04/2007 - 16:05
User Badges:

Will your host attempt to ping the DHCP server if you try before connecting with the VPN?


This Discussion