DHCP Relay over IPSec VPN
I'm trying to get DHCP relay working over IPSec VPN.
I nearly read all the threads regarding DHCP relay but none of them worked for me.
This is my setup:
main site remote site
(DHCP Server)–-(Checkpoint GW)--------IPSec VPN------(DSL Router)---(pfSense)---(Client)
10.0.0.78 10.0.0.1/24 192.168.0.0/24 10.20.0.1/24
On the pfsense box DHCP relay is activated relaying to the DHCP server ip address.
$ ps x | grep dhcrelay
500 ?? Is 0:00.03 /usr/local/sbin/dhcrelay -i fxp0 -i rl0 10.0.0.78
Static routes of pfsense are as follows
10.0.0.0/24 10.20.0.1 UGS 0 651 1500 fxp0
The route has been added as mentioned here (http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F)
Okay, the tunnel is up and I can ping from remote to main site and vice versa. Now trying to renew DHCP address on the client. I can see incoming DHCP packets on the Checkpoint but the client runs into timeout.
A packet capture on the pfsense shows this:
18:01:08.572759 00:08:02:68:7f:b2 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 128, id 21564, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 00:XX:XX:XX:XX:XX, length 300, xid 0x43bb0a23, Flags [none] (0x0000)
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
NOAUTO Option 116, length 1: Y
Client-ID Option 61, length 7: ether 00:XX:XX:XX:XX:XX
Requested-IP Option 50, length 4: 169.254.17.98
Hostname Option 12, length 11: "test"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 12:
Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
Static-Route, Classless-Static-Route-Microsoft, Vendor-Option, Option 200
The DHCP server log shows nothing.
It must be a problem with the pfsense box…other VPNs / DHCP relays with different routers are working perfectly.