IPSec VPN + Centralised DHCP Server + Remote DHCP clients

Unanswered Question
Apr 20th, 2008
User Badges:


I would like to know if the following scenario is possible or not.

There is an IPSec VPN between an ASA 5520 and another VPN device at a remote site. There is a central DHCP server in the INSIDE on the ASA. Now this ASA should release IP address to clients in the remote site located behind the VPN device at the other side. Is this possible?

DHCP uses broadcast and IPSeC does not support broadcast or multicast. So is this scenario technically possible (using relay).

Thanks and Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
aghaznavi Fri, 04/25/2008 - 05:46
User Badges:
  • Silver, 250 points or more

IPSEC VPN Tunnel only works with Unicast traffic. It does not work on Multicast or Broadcast. But DHCP requires broadcast. The Solution for this is GRE over IPSEC. With GRE IPSEC Tunnel, Multicast and Broadcast are converted to Unicast. So you can use GRE tunnel between your VPN device.

jeromecandiff Wed, 09/09/2009 - 08:42
User Badges:

The DHCP Offer is Layer 2. Since the ASA crypto ACL is all Layer 3, this wont work. You need a appliance that supports route based VPNS.


This Discussion