Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dhcprelay through ipsec tunnel

Hi all,

I'm testing a vpn setup for a customer with dhcprelay but can't get dhcprelay through the tunnel. The vpn tunnel is between a PIX and a Linux box and works fine. When I configure my client with a statis ip address everything goes through the tunnel and works well. Here's my PIX setup:


access-list 100 permit ip

pager lines 24

logging on

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 100

route outside 1


sysopt connection permit-ipsec

crypto ipsec transform-set brocom esp-3des esp-md5-hmac

crypto dynamic-map dynmap2 20 set transform-set brocom

crypto map brocom 20 ipsec-isakmp

crypto map brocom 20 match address 100

crypto map brocom 20 set pfs group2

crypto map brocom 20 set peer

crypto map brocom 20 set transform-set brocom

crypto map brocom interface outside


dhcprelay server outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

Any help will be very appreciated.

Frank de Groodt

New Member

Re: dhcprelay through ipsec tunnel

Can you manually ping to the server ? If this is possible, then the dhcp relay packet should go through the tunnel. Check if the relay packet is stopped at the PIX side (by enabling debugging) and that there is a return path for the unicast lease offer packet.

New Member

Re: dhcprelay through ipsec tunnel

Are you sure this is suppose to work through a tunnel ?

I never used this command , but as i understand it , it's the outside interface that will forward the DHCP request . But traffic issued by your outside interface is not part of your tunnel. You may try to add in your crypto access-list the line;

access-list 100 permit ip host

this way traffic issued by your outside interface will be part of the tunnel.

A little bit like we do to reach a syslog server through a tunnel except that here we want to reach a DHCP server

Just a guess but it could work