IOS 6500 router Cisco VPN Client using DHCP no IP Pool

Answered Question
Sep 14th, 2010

Hey guys,

I'm having a little trouble trying to get my client vpn to use a dhcp server instead of the ip pool.  When I use the IP pool command everything works great, but when I use the dhcp command I get an error on the client side saying no private IP address was assigned by the peer.

Here is my config.

aaa authentication login VPNCLIENT_AUTHEN group radius local

aaa authorization network VPNCLIENT_AUTHOR local

crypto isakmp client configuration group VPNCLIENT_GROUP

key xxxxxxxxxxxxxxxxxxxxxxxxxx

dns 172.25.128.43 172.25.65.43

wins 172.25.1.54

domain sktnhr.ca

dhcp server 172.25.0.27

dhcp giaddr 172.25.205.1

dhcp timeout 10

# pool VPNCLIENT_IPPOOL

crypto isakmp profile ISAKMP_PROFILE

   vrf HUB_VRF

   match identity group VPNCLIENT_GROUP

   client authentication list VPNCLIENT_AUTHEN

   isakmp authorization list VPNCLIENT_AUTHOR

   client configuration address respond

crypto dynamic-map DYN_MAP 1020

set transform-set ESP-AES-256-SHA

set isakmp-profile ISAKMP_PROFILE

reverse-route

crypto map HUB_CRYPTO_MAP 6005 ipsec-isakmp dynamic DYN_MAP

ip local pool VPNCLIENT_IPPOOL 172.25.205.25 172.25.205.250

I can see the dhcp request and offer on my dhcp server but nothing gets to the client.  When I use a pool I can ping the dhcp server which makes me think the routes are okay.  Does anyone have any ideas.

I have this problem too.
0 votes
Correct Answer by Todd Pula about 6 years 2 months ago

You need the giaddr under the EasyVPN server configuration.  Try adding the loopback to your switch and then test again.  If using an iVRF, make sure that the loopback is in the same VRF as the interface facing the server.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
cory.fedorak Tue, 09/14/2010 - 11:40

I'm running version 12.2(18)SXF14

I added the giaddr cause I wasn't seeing anything on my dhcp server requesting an IP.  I have the dhcp log, and I could run tcpdump on the server if that would help.

or do you mean the router not the dhcp server?

Marcin Latosiewicz Tue, 09/14/2010 - 11:48

Cory,

Ideally, we'd want to packets leaving and reaching the chassis.

ie. I'd like to make sure that that reply is sent towards the chassis and in correct way.

Marcin

Todd Pula Tue, 09/14/2010 - 11:50

What happens if you define a loopback interface with the 172.25.205.1/32 IP on the switch?  I have seen it work with and without but would have to test it with SXF14.

cory.fedorak Tue, 09/14/2010 - 11:55

Ok, thanks for the suggestions, I'm going to setup some sniffers and see what is happening, once I take off the giaddr is looks like nothing is getting to my dhcp server.

Cheers.

Correct Answer
Todd Pula Tue, 09/14/2010 - 11:58

You need the giaddr under the EasyVPN server configuration.  Try adding the loopback to your switch and then test again.  If using an iVRF, make sure that the loopback is in the same VRF as the interface facing the server.

cory.fedorak Tue, 09/14/2010 - 12:37

Ok, I assume you mean the vrf that is used in my isakmp profile.  I added a loopback and set it to ip vrf forwarding HUB_VRF and gave it the ip 172.25.205.1/32

I tried again and still same thing, I see the mac tied to the giaddr asking for an IP, but nothing from my vpn client.   I can ping the loopback IP from my dhcp server.

cory.fedorak Tue, 09/14/2010 - 14:25

Okay,

One problem sovled, I can now get an IP from my dhcp server.  However I can not use a reservation as the MAC of my client is unknown, the dhcp server is showing the MAC of my router.  We use a linux dhcpd server with locked down pools and MAC reservations.  Does anyone know how to make the VPN Client MAC address show instead of the router MAC.  I have checked my arp tables and mac address tables and I can't see the VPN client MAC address anywhere.

Thanks

Cory

Marcin Latosiewicz Wed, 09/15/2010 - 01:32

Cory,

How exactly did you make it work? One of Todd's suggestions worked?

For mac address, the client request address in mode config - so it's not actually sending it's mac address like it would in a typical DHCP conversation.

The DHCP query done by chassis in this case is indeed not a typical relay ;-)

A workaround on server side would be to create a local scope only for the chassis... I'm not sure if we can do anything on crypto config side.

Marcin

cory.fedorak Wed, 09/15/2010 - 06:59

A conbination of things, first yes Todd's posts were needed, his post about the loopback interface, without the loopback my dhcp fails.  Also he confirmed that I do need the giaddr command in order for my dhcp server to work properly.  Our dhcp server knows which subnet to assign based on the asking router IP, which is wrong unless I use the giaddr.

The second issue was I was looking for the MAC of my VPN adapter of the client machine, and of course not seeing it on my dhcp server, with the server locked down only allowing reservations, it was never seeing the correct MAC.  I unlock that site file and allowed it to grab a random address and it works great.

Since we give out mac based reservations, I don't think I can do what I wanted, the mac will always be the same.  Oh well, I did get dhcp working.  Thanks for all the help.

Actions

This Discussion