Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 4243 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP Relay over Routing-Based IPsec in SFOS 19 not workin

Digit23

I have routed based ipsec tunnel between head and branch.  At branch I have a network on the firewall where I want a dhcp-relay that relay to a dhcp server at the head office.  I need routed-based (as opposed to policy based) for OSPF.

over 2 years later, does this still apply ?

https://community.sophos.com/sophos-xg-firewall/f/discussions/122932/dhcp-relay-over-routing-based-ipsec-in-sfos-18-0-1-not-working



This thread was automatically locked due to age.
  • 0

    Yes - Route Based VPN does not support DHCP Relay.

    You can use RED site to Site or Ipsec Policy based. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    No I can't...  IPSEC policy based does not work with OSPF
    No I can't...  RED can't do... in fact RED can't do anything...

    There is technical reason why people do thing the way they do.  Sophos XG support "routed based", Sophos XG support dhcp-relay;  dhcp-relay across xfrm interface should just work as it should.

    If that box was open, I probably fixed that code myself, but unfortunatly it is not the case.  So I am here for someone to fix a feature that is advertised but does not work.

    Sophos: Just fix that damn thing...  That has been reported more than 2 years ago...

  • 0 in reply to Digit23

    Why cant RED resolve this one? If the peer is a UTM/SFOS appliance, it can perfectly resolve this scenario. 

    __________________________________________________________________________________________________________________

  • 0 in reply to Digit23

    That is correct, but you did not reflect this in your initial answer. 

    You should talk to your Sales Engineer to talk about some possibilities to resolve this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    SFOS advertise dhcp-relay

    SFOS advertise routed-based ipsec

    It's a bug fix, not a feature request.

    I know that sales people don't care about that because they already label the box with "dhcp-relay" and "routed based ipsec" and that's all they care and now push dev. team for more label to put on the box, but that just bad...  Business driven by sales people deliver crapy product.

    bug fix should be top priority, i will fill a bug report and hope for some result...

  • 0 in reply to Digit23

    As it is documented to be a known limitation, it is not a Bug report, instead a limitation, which can be lifted. docs.sophos.com/.../index.html

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    cool, when bug are documented they become a "limitation".  problem solved...

    that the path to allot of feature on a broken product.

    roger, out...

  • 0 in reply to Digit23

    Actually If there is a not implemented feature, it is a limitation, which is documented and you cannot configure it.

    A Bug would mean, you can configure it and it does not work. 

    This is actually on the roadmap to implement this feature in a future release. Feel free to talk to your local sales to get more insights to share. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    So by your definition it is a bug then...

    you can set up a site-2-site routed-based VPN.
    you can set up a dhcp-relay that listen on a local interface and you can put the remote dhcpserver (VPN reachable, pignable from the router) in the dhcp-relay config.  You can apply/save that, no warning, no error

    it just doesn't work... bug...

Unfiltered HTML