This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sentinel, ASL, and DHCP.

I am having a bit of a problem in the logic on how to build a rule which will allow the SSH Sentinel to do a DHCP Query so he can get a virtual IP Address.

Basically I only want a DHCP Query to be accepted after the negotiation of the SAs and ESP is established.

Since my Roadwarrior is Dynamic, I have to start with the ---> err... ANY rule, and I dont want that either.

an ANY -> DHCP -> Internal-Network -> Allow is not a good idea.

one more thing. my DHCP server is NOT on the ASL.

Nice would be if you could base rules on the X509 Certs themselves.

Ideas?

This thread was automatically locked due to age.

Parents

0 Gert Hansen over 23 years ago

Hi Timor,

this is not possible at the moment.
What you are talking about is DHCP over IPSec.

There are several drafts available how to implement that.

DHCP uses broadcasts to find the DHCP Server.
Broadcasts are not routed through the network, only bridged.

You can not bridge traffic through an IPSec tunnel, you have to route it, that is why it does not work.

Even if that worked, also ASL must bridge or forward DHCP request to the correct server.

This is also not implemented yet.

What do you need that for?

kind regards
Gert
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Gert Hansen over 23 years ago

Hi Timor,

this is not possible at the moment.
What you are talking about is DHCP over IPSec.

There are several drafts available how to implement that.

DHCP uses broadcasts to find the DHCP Server.
Broadcasts are not routed through the network, only bridged.

You can not bridge traffic through an IPSec tunnel, you have to route it, that is why it does not work.

Even if that worked, also ASL must bridge or forward DHCP request to the correct server.

This is also not implemented yet.

What do you need that for?

kind regards
Gert
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data