StoneBlog.stonesoft.com

Generally we want or it is mandatory to use the Virtual IP feature with the Stonegate VPN client. But the Virtual IP needs to configure DHCP relay to give an IP to the remote VPN client.

So to clarify the situation about this topic, granting virtual address for client changed in version 4.2.0 and new changes were introduced in FW 4.2.6.

You will see below some description to help you in configuration and understanding of this DHCP part.

When FW gets virtual IP address for 4.2 or newer VPN client, FW acts as a DHCP client. So the DHCP request comes from the FW MAC address and client’s MAC address is inserted in DHCP client identifier option (DHCP option 61). DHCP option 60 (Vendor class identifier) has value “SGFW”. The request is broadcasted out from FW interface nearest to the DHCP server. This means that Security Gateway option “NDI for DHCP Relay” is used only when SGW is acting as a relay, i.e. with the old VPN clients. This also means that DHCP server needs to be in the directly connected subnet with the FW or there needs to be a separate DHCP relay device that can forward the DHCP request from the FW to the DHCP server.

Firewall/VPN version 4.2.6 removes the limitation introduced in version 4.2.0, which requires that the DHCP server used for VPN client virtual address assignment must be in directly connected network with the firewall. This enhancement is made possible by relaying the DHCP requests through the firewall’s local DHCP relay component.

The behavior of Firewall/VPN versions starting from 4.2.6 is, that if the DHCP server is in directly connected network, the firewall acts like previous 4.2 versions. In other words, the firewall acts as a DHCP client and broadcasts the DHCP messages to the segment that contains the configured DHCP server. If the DHCP server is not in directly connected network, the DHCP messages are put through to local DHCP relay which then sends the DHCP messages to the DHCP server as unicast packets like the versions before 4.2.0 did in all cases. The NDI interface selected in security gateway properties is used as the source address for the relayed DHCP messages.

There is local configuration possibility to override this behavior. If the firewall node contains the file /data/config/base/force-vpn-dhcp-relay, the DHCP relay is used in all cases, even if DHCP server is in directly connected network. If the firewall node contains the file “/data/config/base/disable-vpn-dhcp-relay”, the DHCP relay is not used even if the DHCP server is not in directly connected network. In this case the interface used to broadcast the request is selected according to routing information to the configured “fake” DHCP server. The “fake” DHCP server in this case can be, for example, the external relay that then relays the DHCP to the final DHCP server.

Note also, that to use the local DHCP relay there needs to be a new access rule that allows BOOTPC traffic from firewall’s local NDI address to firewall’s local NDI address. This is added by dynamic update 176 to the firewall “DHCP Relay” sub-rulebase.

Now you have all elements to be able to implement DHCP for Virtual IP in different environments.

written by Hokkyokuguma - 2,391 views \\ tags: DHCP, mvpn client, tech details, Tips & Tricks, Virtual IP