Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer
 Support Center > Search Results > SecureKnowledge Details
Support Center
 Print    Email
How to configure BootP/DHCP Relay with IPSO/Gaia and Security Gateway

Solution ID: sk41515
Product: Security Gateway, IPSec VPN
Version: R70, R71, R75, R75.40, R76, R77, R77.10
OS: Gaia, IPSO 6.2
Date Created: 19-Apr-2009
Last Modified: 13-Feb-2014
Rate this document
[1=Worst,5=Best]
Solution

Table of Contents:

  • Configuring IPSO OS
  • Configuring Gaia OS
  • Configuring the Security Gateway
  • Allowing DHCP relay traffic to cross a VPN tunnel

 


 

Configuring IPSO OS

  1. To configure the BootP/DHCP Relay Agent, select 'Configuration > Router Services > BOOTP/DHCPP Relay' on the main Configuration menu.

  2. Turn on the interfaces that will need to be listening for the BootP or DHCP packets and click "Apply".

  3. Enter the address of the BootP or DHCP server into the New Server field and click "Apply".

  4. Be sure to set the Wait Time to "0". The IPSO platform is attempting to allow a local BootP/DHCP server to respond to the initial broadcast by waiting until the client increments its Elapsed Time value to "3". Some implementations of DHCP, most commonly Microsoft's, do not increment this value until after an address has been leased. As a result, the Wait Time on the IPSO platform must be set to "0" to allow interoperability.

  5. If multiple IP addresses have been defined for a particular interface, IPSO will use the numerically lowest IP address bound to that interface as the Source IP address of any BootP/DHCP Packets sent from that interface.

  6. Using the Primary IP address field, the administrator can define the use of some other address that is bound to that interface. For example in Fig.1, if multiple addresses have been defined for the internal interface int.if, then the administrator can define the address to be used as the source for BootP/DHCP transmission to "Client". Traffic between the external interface ext.if and the server will use an address bound to ext.if

 

Configuring Gaia OS

  1. To configure the BootP/DHCP Relay Agent, select 'Advanced Routing > DHCP Relay' on the main Configuration menu.

  2. Add interfaces that will need to be listening for the BootP or DHCP packets and click "Apply".

  3. Enter the address of the BootP or DHCP server into the New Server field and click "Apply".

  4. Be sure to set the Wait Time to "0", as similar as described above in the "Configuring IPSO" section.

  5. If multiple IP addresses have been defined for a particular interface, Gaia will use the numerically lowest IP address bound to that interface as the Source IP address of any BootP/DHCP Packets sent from that interface.

  6. Similar to IPSO, the administrator can define the use of some other address that is bound to that interface. For example in Fig.1, if multiple addresses have been defined for the internal interface int.if, then the administrator can define the address to be used as the source for BootP/DHCP transmission to "Client". Traffic between the external interface ext.if and the server will use an address bound to ext.if

Fig 1:

Client --- (int.if) [ GW ] (ext.if) ---- DHCP Server

Related solution: sk97642 (Troubleshooting DHCP Relay Issues).

 

Configuring the Security Gateway

Configuring a Security Gateway to pass configuration packets, for example DHCP, requires the opening of large "security holes" in your Security Gateway. Security Gateways were designed to sit at the exterior of the network and to protect the inside from the outside. The Security Gateway blocks or ignores packets with a source of 0.0.0.0, a reasonable decision given the original considerations. BootP, however, requires that packets be sent with a source of 0.0.0.0.

  1. You will need to create a rule that accepts packets going to the 255.255.255.255 address. A workstation object with IP address 255.255.255.255 will accomplish this. The source must be 'ANY', as specifically creating an object with the address 0.0.0.0 does not work.

  2. The Security Gateway must also have a rule that permits traffic coming from the DHCP server going to the Security Gateway's interface: DHCP relay traffic uses both a source and destination port of 67. When you use the service "dhcp-req-localmodule", DHCP relay traffic is dropped due to port mismatch. This is expected behavior by design. Please refer to sk39529.
  1. You have to use the service "dhcp-relay" or "bootp" to allow DHCP relay traffic.

    Remember that in the example of Fig.1, the gateway will send packets to the DHCP server that have the source address of ext.if. The replies will be sent to ext.if. The rule which accepts this traffic must be located before the stealth rule.

 

Allowing DHCP relay traffic to cross a VPN tunnel

  1. To allow the DHCP relay traffic to cross the VPN tunnel, the relay agent Security Gateway must be included in the encryption domain. However, one should consider using a dedicated DHCP relay agent inside the Security Gateway, rather the using the Security Gateway itself to relay the DHCP traffic.

  2. To get the relayed traffic to work, create a group object. Include the internal subnet object(s) as well as the Security Gateway object. This group will serve as both the encryption domain of the Security Gateway, as well as the SRC or DST object of the relevant Encrypt rules. If the relayed traffic was passing the Security Gateway before, it should now be encrypted. As you design your other rules, remember that the external interface of the Security Gateway will be the SRC IP address of the relayed DHCP packet.

Related Solution(s):
sk26154: How to configure DHCP Relay for a VLAN interface on SecurePlatform


Imported from Nokia support database
Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000