09-14-2010 10:07 AM
Hey guys,
I'm having a little trouble trying to get my client vpn to use a dhcp server instead of the ip pool. When I use the IP pool command everything works great, but when I use the dhcp command I get an error on the client side saying no private IP address was assigned by the peer.
Here is my config.
aaa authentication login VPNCLIENT_AUTHEN group radius local
aaa authorization network VPNCLIENT_AUTHOR local
crypto isakmp client configuration group VPNCLIENT_GROUP
key xxxxxxxxxxxxxxxxxxxxxxxxxx
dns 172.25.128.43 172.25.65.43
wins 172.25.1.54
domain sktnhr.ca
dhcp server 172.25.0.27
dhcp giaddr 172.25.205.1
dhcp timeout 10
# pool VPNCLIENT_IPPOOL
crypto isakmp profile ISAKMP_PROFILE
vrf HUB_VRF
match identity group VPNCLIENT_GROUP
client authentication list VPNCLIENT_AUTHEN
isakmp authorization list VPNCLIENT_AUTHOR
client configuration address respond
crypto dynamic-map DYN_MAP 1020
set transform-set ESP-AES-256-SHA
set isakmp-profile ISAKMP_PROFILE
reverse-route
crypto map HUB_CRYPTO_MAP 6005 ipsec-isakmp dynamic DYN_MAP
ip local pool VPNCLIENT_IPPOOL 172.25.205.25 172.25.205.250
I can see the dhcp request and offer on my dhcp server but nothing gets to the client. When I use a pool I can ping the dhcp server which makes me think the routes are okay. Does anyone have any ideas.
Solved! Go to Solution.
09-14-2010 11:58 AM
You need the giaddr under the EasyVPN server configuration. Try adding the loopback to your switch and then test again. If using an iVRF, make sure that the loopback is in the same VRF as the interface facing the server.
09-14-2010 10:16 AM
Cory,
Why the explicit giaddr?
Can you attach sniffer from server?
Marcin
09-14-2010 10:20 AM
What version of code are you running? I do have an active bug CSCtb89603 open regarding VRF aware DHCP support in SXI.
09-14-2010 11:40 AM
I'm running version 12.2(18)SXF14
I added the giaddr cause I wasn't seeing anything on my dhcp server requesting an IP. I have the dhcp log, and I could run tcpdump on the server if that would help.
or do you mean the router not the dhcp server?
09-14-2010 11:48 AM
Cory,
Ideally, we'd want to packets leaving and reaching the chassis.
ie. I'd like to make sure that that reply is sent towards the chassis and in correct way.
Marcin
09-14-2010 11:49 AM
Is it possible I need to add a dhcp relay command somewhere?
09-14-2010 11:50 AM
What happens if you define a loopback interface with the 172.25.205.1/32 IP on the switch? I have seen it work with and without but would have to test it with SXF14.
09-14-2010 11:55 AM
Ok, thanks for the suggestions, I'm going to setup some sniffers and see what is happening, once I take off the giaddr is looks like nothing is getting to my dhcp server.
Cheers.
09-14-2010 11:58 AM
You need the giaddr under the EasyVPN server configuration. Try adding the loopback to your switch and then test again. If using an iVRF, make sure that the loopback is in the same VRF as the interface facing the server.
09-14-2010 12:37 PM
Ok, I assume you mean the vrf that is used in my isakmp profile. I added a loopback and set it to ip vrf forwarding HUB_VRF and gave it the ip 172.25.205.1/32
I tried again and still same thing, I see the mac tied to the giaddr asking for an IP, but nothing from my vpn client. I can ping the loopback IP from my dhcp server.
09-14-2010 02:25 PM
Okay,
One problem sovled, I can now get an IP from my dhcp server. However I can not use a reservation as the MAC of my client is unknown, the dhcp server is showing the MAC of my router. We use a linux dhcpd server with locked down pools and MAC reservations. Does anyone know how to make the VPN Client MAC address show instead of the router MAC. I have checked my arp tables and mac address tables and I can't see the VPN client MAC address anywhere.
Thanks
Cory
09-15-2010 01:32 AM
Cory,
How exactly did you make it work? One of Todd's suggestions worked?
For mac address, the client request address in mode config - so it's not actually sending it's mac address like it would in a typical DHCP conversation.
The DHCP query done by chassis in this case is indeed not a typical relay ;-)
A workaround on server side would be to create a local scope only for the chassis... I'm not sure if we can do anything on crypto config side.
Marcin
09-15-2010 06:59 AM
A conbination of things, first yes Todd's posts were needed, his post about the loopback interface, without the loopback my dhcp fails. Also he confirmed that I do need the giaddr command in order for my dhcp server to work properly. Our dhcp server knows which subnet to assign based on the asking router IP, which is wrong unless I use the giaddr.
The second issue was I was looking for the MAC of my VPN adapter of the client machine, and of course not seeing it on my dhcp server, with the server locked down only allowing reservations, it was never seeing the correct MAC. I unlock that site file and allowed it to grab a random address and it works great.
Since we give out mac based reservations, I don't think I can do what I wanted, the mac will always be the same. Oh well, I did get dhcp working. Thanks for all the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide