Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 28 subscribers
  • Views 3157 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP Relay over Routing-Based IPsec in SFOS 18.0.1 not working

AlexanderPoettinger

On an XG 135 with SFOS 18.0.1 the DHCP relay over a Routing-Based IPsec tunnel is not working.

System traffic over the IPsec is working. Firewall authentication on the Active Directory servers behind the same IPsec tunnel is working.
Those same Active Directory servers are also the DHCP servers.

DHCP packets are received by the LAN port (can be seen both on the packet catpure and the TCPDUMP) but the traffic is not routed through the IPsec tunnel.
Packet capture reports "ACL 

Firewall rule allowing any/any to DHCP servers is in place.

DHCP service of the firewall is working and firewall is providing DHCP addresses.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    Static. Works much more reliably than SD-WAN.
    Especially if there is only one line and one IPsec and only a handful of networks.
    RED works with SSL VPN not IPsec.
    The routing-based VPN is far too efficient in that any change in routings do not need a restart of the VPN, while both policy-based IPsec and RED need a restart after any change.

  • 0 in reply to AlexanderPoettinger

    RED should interact like VTI from this perspective. As you do not have any routing information at all. You have a VTI (RED) and thats it. Routing will be take place in the routing stack, so no restart should be needed to propagate new networks etc. 

    Policy based is correct, thats the old fashion way (Remote / Local network). 

    It depends on the performance and the bandwidth of both appliances. Most likely you cannot hit the hardware limitation with a RED tunnel. 

    To get back to this issue. XG has a Flood prevention for DHCP Relay to avoid problems with "too many relays". It will try to reach the DHCP Server several times, if no reply comes back, it stops and drop the DHCP requests for this DHCP server. 

    So the question is, do you see any DHCP Relay requests on the VTI outbound? if you use the tcpdump on the xfrm interface? 

    Do you see any traffic on the other End? 

  • 0 in reply to LuCar Toni

    Both with TCPDUMP and Packet Capture I can see only the incoming packets on port 68 UDP on the LAN port. No outgoing traffic. The packets are blocked by the firewall witn an "ACL exeption"

  • 0 in reply to AlexanderPoettinger

    Does your setup work with a RED Interface or not? Same configuration only switching the XFRM with a RED Interface? 

  • 0 in reply to LuCar Toni

    Cannot so easily test as the device is now productive. Have for the moment used a local DHCP server.