This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP Relay over Routing-Based IPsec in SFOS 18.0.1 not working

On an XG 135 with SFOS 18.0.1 the DHCP relay over a Routing-Based IPsec tunnel is not working.

System traffic over the IPsec is working. Firewall authentication on the Active Directory servers behind the same IPsec tunnel is working.
Those same Active Directory servers are also the DHCP servers.

DHCP packets are received by the LAN port (can be seen both on the packet catpure and the TCPDUMP) but the traffic is not routed through the IPsec tunnel.
Packet capture reports "ACL

Firewall rule allowing any/any to DHCP servers is in place.

DHCP service of the firewall is working and firewall is providing DHCP addresses.

This thread was automatically locked due to age.

Top Replies

RickardNordahl over 4 years ago +1 verified

Hi DHCP relaying is not Supported for VTI interfaces. It's going to be on releases later on. The information is in the Video about Route based VPN. https://www.youtube.com/watch?v=o4NB1nHBOsE&ab_channel…

Parents

0 LuCar Toni over 4 years ago

DHCP Relay should not need a Firewall rule.

I remember, that DHCP Relay is not supported for VTI, but i am not 100% sure. Read something about this.

Do you have multiple DHCP Relays configured on this Appliance? If you delete all except one, is it working?

Did you tick the option "relay on IPsec"? Please disable this option and try again.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 AlexanderPoettinger over 4 years ago in reply to LuCar Toni

I have only one DHCP relay and I have tried both with activated "relay over IPsec" and without.

If DHCP relay is not supported over routing-based IPsec that would be a major deficiency.

Alexander Poettinger

Sophos Certified Architect - XG
Sophos Certified Technician - XG
Sophos Certified Engineer - UTM

xame gmbh
Sophos Gold Partner
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to AlexanderPoettinger

Depends on the setup.

You could easily switch to RED Site to Site and use this setup for DHCP Relay until this is supported.

Another question would be, which routing do you use, PBR or static?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 AlexanderPoettinger over 4 years ago in reply to LuCar Toni

Static. Works much more reliably than SD-WAN.
Especially if there is only one line and one IPsec and only a handful of networks.
RED works with SSL VPN not IPsec.
The routing-based VPN is far too efficient in that any change in routings do not need a restart of the VPN, while both policy-based IPsec and RED need a restart after any change.

Alexander Poettinger

Sophos Certified Architect - XG
Sophos Certified Technician - XG
Sophos Certified Engineer - UTM

xame gmbh
Sophos Gold Partner
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to AlexanderPoettinger

RED should interact like VTI from this perspective. As you do not have any routing information at all. You have a VTI (RED) and thats it. Routing will be take place in the routing stack, so no restart should be needed to propagate new networks etc.

Policy based is correct, thats the old fashion way (Remote / Local network).

It depends on the performance and the bandwidth of both appliances. Most likely you cannot hit the hardware limitation with a RED tunnel.

To get back to this issue. XG has a Flood prevention for DHCP Relay to avoid problems with "too many relays". It will try to reach the DHCP Server several times, if no reply comes back, it stops and drop the DHCP requests for this DHCP server.

So the question is, do you see any DHCP Relay requests on the VTI outbound? if you use the tcpdump on the xfrm interface?

Do you see any traffic on the other End?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 AlexanderPoettinger over 4 years ago in reply to LuCar Toni

Both with TCPDUMP and Packet Capture I can see only the incoming packets on port 68 UDP on the LAN port. No outgoing traffic. The packets are blocked by the firewall witn an "ACL exeption"

Alexander Poettinger

Sophos Certified Architect - XG
Sophos Certified Technician - XG
Sophos Certified Engineer - UTM

xame gmbh
Sophos Gold Partner
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to AlexanderPoettinger

Does your setup work with a RED Interface or not? Same configuration only switching the XFRM with a RED Interface?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 AlexanderPoettinger over 4 years ago in reply to LuCar Toni

Cannot so easily test as the device is now productive. Have for the moment used a local DHCP server.

Alexander Poettinger

Sophos Certified Architect - XG
Sophos Certified Technician - XG
Sophos Certified Engineer - UTM

xame gmbh
Sophos Gold Partner
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 AlexanderPoettinger over 4 years ago in reply to LuCar Toni

Cannot so easily test as the device is now productive. Have for the moment used a local DHCP server.

Alexander Poettinger

Sophos Certified Architect - XG
Sophos Certified Technician - XG
Sophos Certified Engineer - UTM

xame gmbh
Sophos Gold Partner
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data