No contact with DHCP server when using VPN Client

Unanswered Question

Pretty weird problem I discovered recently.

We use the VPN Client to connect to a 1841 router. Everything works fine except for one small thing.

The client do not send out _any_ traffic if the destination is the ip-address of the DHCP-server the client got its original ip-address from.

This is verified by Wireshark. A ping on the client do not produce any ESP packets towards the VPN concentrator. No matter what traffic you try actually.

Discovered this when wanting to use Remote Desktop towards the Windows Server that is the local DHCP server and was not able to connect. Then tested ping and still no response. That made me look closer and found out that I could not communicate at all with the DHCP server.

As I said, pretty weird.

Anyone else have seen this? Anyone have a solution? Right now I use OpenVPN instead when I need to control that server.

- Roger

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
m-ketchum Sat, 11/03/2007 - 21:32

I'm assuming that the DHCP server subnet is being included in any split-tunnel ACL's that may be configured? Is your VPN client able to communicate with other hosts on the same subnet as the DHCP server?

Hi and thanks for responding.

Nothing here apart from being unable to send any packets to the dhcp-server. No problem sending to any other system on the same subnet. The same happens when I connect my pc to another subnet that is served by another dhcp-server. Then I can not connect to _that_ dhcp-server. I can then of course connect to the previous dhcp-server.

I mean _no_ packets are generated out the client at all if the destination are your dhcp-server. No problem with the packet being blocked by a firewall or anything like that. Ping another system on the same subnet as the dhcp-server and the client happily generates ESP packets and sends them to the vpn-concentrator.

I do not know if it was clear enough in the first post so I am saying it here: the vpn-concentrator gives out the ip for the vpn connection. The dhcp-server I can not connect to is the server that gives the client its ip-address _before_ starting up the vpn client.

We use this vpn system so the IT personell will be able to connect to restricted resources from their laptops anywhere in the network, also when using wireless.

This was discovered when one admin wanted to connect from his laptop to a server that also happened to be the dhcp-server that had given his laptop his ip address before he used vpn.

Should be easy enough for anyone else to test. Just ping your dhcp-server after starting the vpn connection. No RFC 1918 addresses of course, there must be a route from your vpn-concentrator to your dhcp-server and at least icmp echo must be open through any firewall/acl.

The vpn version is 4.8.00.0440 on Windows XP configured to not allow local LAN access. I might test this with other versions/OS'es when I have the time.

Regards,

- Roger

m-ketchum Sun, 11/04/2007 - 16:05

Will your host attempt to ping the DHCP server if you try before connecting with the VPN?

Actions

This Discussion