Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
2
Replies

dhcprelay through ipsec tunnel

fdegroodt
Level 1
Level 1

‎06-25-2003 12:45 AM - edited ‎02-21-2020 12:38 PM

Hi all,

I'm testing a vpn setup for a customer with dhcprelay but can't get dhcprelay through the tunnel. The vpn tunnel is between a PIX and a Linux box and works fine. When I configure my client with a statis ip address everything goes through the tunnel and works well. Here's my PIX setup:

--

access-list 100 permit ip 192.168.120.0 255.255.255.0 192.168.231.0 255.255.255.0

pager lines 24

logging on

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside 192.168.251.161 255.255.255.0

ip address inside 192.168.120.140 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 100

route outside 0.0.0.0 0.0.0.0 192.168.251.1 1

--

sysopt connection permit-ipsec

crypto ipsec transform-set brocom esp-3des esp-md5-hmac

crypto dynamic-map dynmap2 20 set transform-set brocom

crypto map brocom 20 ipsec-isakmp

crypto map brocom 20 match address 100

crypto map brocom 20 set pfs group2

crypto map brocom 20 set peer 192.168.250.165

crypto map brocom 20 set transform-set brocom

crypto map brocom interface outside

--

dhcprelay server 192.168.231.150 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

Any help will be very appreciated.

Frank de Groodt

Labels:
0 Helpful
2 Replies 2

mnaveen
Level 1
Level 1

‎06-25-2003 05:24 AM

Can you manually ping to the server 192.168.231.150 ? If this is possible, then the dhcp relay packet should go through the tunnel. Check if the relay packet is stopped at the PIX side (by enabling debugging) and that there is a return path for the unicast lease offer packet.

0 Helpful

mcaissie
Level 1
Level 1

‎06-26-2003 07:35 AM

Are you sure this is suppose to work through a tunnel ?

I never used this command , but as i understand it , it's the outside interface that will forward the DHCP request . But traffic issued by your outside interface is not part of your tunnel. You may try to add in your crypto access-list the line;

access-list 100 permit ip host 192.168.251.161 192.168.231.0 255.255.255.0

this way traffic issued by your outside interface will be part of the tunnel.

A little bit like we do to reach a syslog server through a tunnel except that here we want to reach a DHCP server

http://www.cisco.com/warp/public/110/pix_vpn_4094.html

Just a guess but it could work

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents