"You don't do DHCP for IPSEC-Clients."… Hoba.... But....



  • …can you do it for a IPsec tunnel?

    How would you do it? Just turn off the DHCP server on the remote location? Hmmmm....

    Thanks!



  • I read though this:
    http://forum.pfsense.org/index.php/topic,6932.0.html
    and this:
    http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

    But it didn't work…

    I'm not clear either in the DHCP relay, should I be putting the local IP or the public IP of my DHCP server....note, the dhcp server is NOT PF.



  • I can't get this to work….

    ...am I like forging new territory here? Has anyone gotten this to work?

    I'm open to ideas...

    Thanks.



  • Dont take anything i write for a face value since i'm not really familiar with IPSEC.

    As far as i understand it:

    You have your local subnet.

    Then you have your remote subnet. The remote subnet just is. Be it they are static or they get their IP from a remote DHCP.

    You define what subnet on the other side of the tunnel is.
    Whatever as destination is in this remote subnet gets transmitted to the other side.

    I dont really understand what your question is:
    You're not saying anything what you're trying to achieve, what you've done so far, what the problem is…



  • I'm trying to do DHCP over IPsec.

    …I understand you can't do DHCP for a mobile client. But can you do it for a static IPsec Tunnel?

    I have the ipsec tunnel working, but now I want the DHCP server (that is not on the main PF firewall, but behind it, Fedora 8 DHCP) to serve IPs to the remote IPsec PF.

    Last night I tried turning off the Fedora 8 DHCP and using the main PF DHCP, but it made no difference.

    To illustrate:
    Users ---- Fedora 8 DHCP ---- PF (main) ---- internet (Static IPsec Tunnel) ---- PF (remote) ---- Users

    I want the DHCP to server ALL users on both ends of the Tunnel.

    My main question is:

    • How would you do it? Is it even possible? I know its possible with some routers/firewalls, but can PF do it?
      Secondary questions, if it IS possible:
    • I understand I have to activate the DHCP relay on the remote PF, but do I enter the public or private IP of the Fedora DHCP server, since it isn't the main PF?
    • Is there any other settings I need for DHCP relay?
    • If and/or when I setup the static route on the main PF, if I understand correctly, I enter the local (192) ips for the subnets, correct?
    • Is there any firewall rules I need to add?

    Thanks!



  • I'd look at  Services|DHCP relay
    That's what it's there for, usually.
    I can't check it ATM since all my pfSense installs use the DHCP server. The relay function is disabled then.



  • Can anyone help me…?

    Thanks.



  • @NoDoze:

    To illustrate:
    Users –-- Fedora 8 DHCP ---- PF (main) ---- internet (Static IPsec Tunnel) ---- PF (remote) ---- Users

    I want the DHCP to server ALL users on both ends of the Tunnel.

    My main question is:

    • I understand I have to activate the DHCP relay on the remote PF, but do I enter the public or private IP of the Fedora DHCP server, since it isn't the main PF?
    • Is there any other settings I need for DHCP relay?
    • If and/or when I setup the static route on the main PF, if I understand correctly, I enter the local (192) ips for the subnets, correct?
    • Is there any firewall rules I need to add?

    Thanks!

    Does Fedora DHCP have two interfaces and does it provide DHCP-server at both of them? Pretty weird but let us assume it does.
    In DHCP relay settings of remote PF put IP address of the right side of you Fedora server (according to your diagram).
    No static routes.
    Yes, when IP-sec is active there is separate tab for IP-sec interface, add rules there.
    I am not sure it will work but no harm in try.

    Regards,



  • Nope…the Fedora only has a single nic. I'm assuming you're saying to put the local IP of the fedora?

    In the sys logs on the remote PF, I see the DHCP request on port 67, so I opened the port on the WAN via WAN Rules...but it still seams to make no difference...

    In the IPsec rules I have everything open... or is that the wrong thing to do? Should it just be LAN Subnet?



  • Ok…so now I'm trying to look at this from a different view...

    The ipsec is connected. DHCP off, DHCP relay on pointed to the fedora.
    The user behind the remote PF still isn't getting a DHCP address from the fedora.
    SO...I figured, well, we should be able to at least assign a static IP to the remote user, with the main PF as the gateway and DNS, correct?
    BUT this too doesn't work...(at least I don't think it does...not quite sure what would be the gateway and what would be the DNS for a static user over an IPsec tunnel...hehe)
    SO..if I can't get DHCP over IPsec tunnel AND I can't get a static IP over ipsec tunnel...that would leave me to think that, either it DOES need a static route, OR there is a firewall rule I'm missing...
    Is my conclusion correct? Am I thinking correct?

    Any ideas?

    Thanks.



  • Hmmm….well I did a lot of reading online today...and one of the things mention via google, was to add the remote subnet to the DHCP server so it knows to host it.

    If that's the case, then I don't think this would work with a main PF DHCP server, cause PF doesn't allow you to specify multiple subnets to host. Makes me glad I setup our DHCP on a separate server...

    ...I will give this a try asap...

    ...the main reason I setup the DHCP on a separate server is because the response times in assigning an IP was much, much fast being separate. AND if the router were to go offline, the end users could still navigate the local network and save files.



  • ok, PF didn't like that… had to reboot PF to get it working again... I'm pretty sure it's a PF setting...



  • Hmmm….I've been read up about OpenVPN...OpenVPN Bridge? Sounds similar to what I'm looking for, correct?

    Perhaps I should give this a try...?

    Thanks!



  • So I guess there is no way possible to get DHCP over IPsec, huh?

    I haven't had any success with OpenVPN either…seams much more complicated.

    Seams like a deadend.

    ??? ::) :-[ :'(


Log in to reply