Hi, I am having trouble getting DHCP relay over VPN to work. Below is our topology:
The VPN tunnel is up and running which is verified by both ping and tracert by assigning a static IP-address to our client device. The problem occurs while trying to use DHCP with the client, using Wireshark on our DHCP server I can see that the DHCPDISCOVER packet is received correctly with the client MAC address from our client.
The DHCP server is sending an DHCPOFFER packet with an IP address from the scope 10.0.10.0/24 network, with destination address 10.0.10.1, the LAN interface on the router where the client is connected. The connectivity against 10.0.10.1 is verified as working as ping from our DHCP server to this address is working.
Running Wireshark at the client I can see that it never receives any DHCPOFFER packet at all, and just keeps on trying sending out DHCPDISCOVER. Using TCPDump on R1, the router on the client side, I can see the DHCPOFFER packet coming in on VTI0 at R1, but is not internally redirected to ETH1. TCPDump on ETH1 is not showing the DHCPOFFER packet at all.
I have tried this setup but without VPN tunnel, and the DHCP relay is working as expected without it. I have also tried configuring DHCP relay on both router, with different interfaces and relay-options relay-agents-packets without luck. Using show log tail while enabled debug logging won’t give me anything I can use either.
What more could I try? The first two packet are obviously transfered over the tunnel, so I guess there is something more I have to do on R1 to get this working? I have tried the same setup with Cisco routers in GNS3 which is working as expected.
Below is the configurations used on both routers, the client and DHCP server is as plain as it gets.
Router R1 (Client side):
set interfaces ethernet eth0 address 10.0.5.1/24 set interfaces ethernet eth0 duplex auto set interfaces ethernet eth0 speed auto set interfaces ethernet eth1 address 10.0.10.1/24 set interfaces ethernet eth1 duplex auto set interfaces ethernet eth1 speed auto set interfaces ethernet eth2 duplex auto set interfaces ethernet eth2 speed auto set interfaces loopback lo set interfaces vti vti0 address 10.0.6.1/24 set interfaces vti vti0 mtu 1436 set protocols static route 0.0.0.0/24 next-hop 10.0.5.2 set protocols static route 10.20.30.0/24 next-hop 10.0.6.2 set service dhcp-relay interface eth1 set service dhcp-relay interface eth0 set service dhcp-relay relay-options hop-count 10 set service dhcp-relay relay-options max-size 576 set service dhcp-relay relay-options relay-agents-packets forward set service dhcp-relay server 10.20.30.50 set service gui https-port 443 set service nat rule 5000 description 'WAN MASQ' set service nat rule 5000 log enable set service nat rule 5000 outbound-interface eth0 set service nat rule 5000 type masquerade set service ssh port 22 set service ssh protocol-version v2 set system host-name r1 set system login user ubnt authentication encrypted-password '$1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.' set system login user ubnt level admin set system ntp server 0.ubnt.pool.ntp.org set system ntp server 1.ubnt.pool.ntp.org set system ntp server 2.ubnt.pool.ntp.org set system ntp server 3.ubnt.pool.ntp.org set system offload ipsec enable set system offload ipv4 forwarding enable set system offload ipv6 forwarding disable set system syslog global facility all level debug set system syslog global facility protocols level debug set system time-zone UTC set vpn ipsec auto-firewall-nat-exclude disable set vpn ipsec esp-group FOO0 compression disable set vpn ipsec esp-group FOO0 lifetime 3600 set vpn ipsec esp-group FOO0 mode tunnel set vpn ipsec esp-group FOO0 pfs dh-group2 set vpn ipsec esp-group FOO0 proposal 1 encryption 3des set vpn ipsec esp-group FOO0 proposal 1 hash sha1 set vpn ipsec ike-group FOO0 ikev2-reauth no set vpn ipsec ike-group FOO0 key-exchange ikev1 set vpn ipsec ike-group FOO0 lifetime 28800 set vpn ipsec ike-group FOO0 proposal 1 dh-group 2 set vpn ipsec ike-group FOO0 proposal 1 encryption 3des set vpn ipsec ike-group FOO0 proposal 1 hash sha1 set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-networks allowed-network 0.0.0.0/0 set vpn ipsec nat-traversal enable set vpn ipsec site-to-site peer 10.0.5.2 authentication mode pre-shared-secret set vpn ipsec site-to-site peer 10.0.5.2 authentication pre-shared-secret drid set vpn ipsec site-to-site peer 10.0.5.2 connection-type initiate set vpn ipsec site-to-site peer 10.0.5.2 ike-group FOO0 set vpn ipsec site-to-site peer 10.0.5.2 ikev2-reauth inherit set vpn ipsec site-to-site peer 10.0.5.2 local-address 10.0.5.1 set vpn ipsec site-to-site peer 10.0.5.2 vti bind vti0 set vpn ipsec site-to-site peer 10.0.5.2 vti esp-group FOO0
Router R2 (DHCP server side):
set interfaces ethernet eth0 address 10.0.5.2/24 set interfaces ethernet eth0 duplex auto set interfaces ethernet eth0 speed auto set interfaces ethernet eth1 address 10.20.30.1/24 set interfaces ethernet eth1 duplex auto set interfaces ethernet eth1 speed auto set interfaces ethernet eth2 duplex auto set interfaces ethernet eth2 speed auto set interfaces loopback lo set interfaces vti vti0 address 10.0.6.2/24 set interfaces vti vti0 mtu 1436 set protocols static route 0.0.0.0/24 next-hop 10.0.5.1 set protocols static route 10.0.10.0/24 next-hop 10.0.6.1 set service gui https-port 443 set service nat rule 5000 description 'WAN MASQ' set service nat rule 5000 log enable set service nat rule 5000 outbound-interface eth0 set service nat rule 5000 type masquerade set service ssh port 22 set service ssh protocol-version v2 set system host-name r2 set system login user ubnt authentication encrypted-password '$1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.' set system login user ubnt level admin set system ntp server 0.ubnt.pool.ntp.org set system ntp server 1.ubnt.pool.ntp.org set system ntp server 2.ubnt.pool.ntp.org set system ntp server 3.ubnt.pool.ntp.org set system offload ipsec enable set system offload ipv4 forwarding enable set system offload ipv6 forwarding disable set system syslog global facility all level debug set system syslog global facility protocols level debug set system time-zone UTC set vpn ipsec auto-firewall-nat-exclude disable set vpn ipsec esp-group FOO0 compression disable set vpn ipsec esp-group FOO0 lifetime 3600 set vpn ipsec esp-group FOO0 mode tunnel set vpn ipsec esp-group FOO0 pfs dh-group2 set vpn ipsec esp-group FOO0 proposal 1 encryption 3des set vpn ipsec esp-group FOO0 proposal 1 hash sha1 set vpn ipsec ike-group FOO0 ikev2-reauth no set vpn ipsec ike-group FOO0 key-exchange ikev1 set vpn ipsec ike-group FOO0 lifetime 28800 set vpn ipsec ike-group FOO0 proposal 1 dh-group 2 set vpn ipsec ike-group FOO0 proposal 1 encryption 3des set vpn ipsec ike-group FOO0 proposal 1 hash sha1 set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-networks allowed-network 0.0.0.0/0 set vpn ipsec nat-traversal enable set vpn ipsec site-to-site peer 10.0.5.1 authentication mode pre-shared-secret set vpn ipsec site-to-site peer 10.0.5.1 authentication pre-shared-secret drid set vpn ipsec site-to-site peer 10.0.5.1 connection-type initiate set vpn ipsec site-to-site peer 10.0.5.1 ike-group FOO0 set vpn ipsec site-to-site peer 10.0.5.1 ikev2-reauth inherit set vpn ipsec site-to-site peer 10.0.5.1 local-address 10.0.5.2 set vpn ipsec site-to-site peer 10.0.5.1 vti bind vti0 set vpn ipsec site-to-site peer 10.0.5.1 vti esp-group FOO0
Thanks in advance.
