Skip to main content
A
Anonymous_User
Contributor
July 3, 2009
Question

DHCP over ipsec not working

  • July 3, 2009
  • 13 replies
  • 8365 views
Hello. I' m a newbie on fortigate (used to ZyWall). I have a Fortigate 80C (os 4 build 5025), connected to the DMZ of my ZyWall. The Zywall routes all incoming vpn calls to the Fortigate. The wan1 interface has ip 10.27.2.3/255.255.255.0 The internal interface has ip 10.27.1.3/255.255.255.0 I created a dhcp server on wan1 interface. config system dhcp server edit " company_dhcp_clients" set dns-server1 10.27.1.50 set domain " company.se" set interface " wan1" set netmask 255.255.255.0 set server-type ipsec set end-ip 10.27.3.50 set ipsec-lease-hold 0 set start-ip 10.27.3.2 next end I created 3 addresses in the firewall edit " Internal net" set associated-interface " internal" set subnet 10.27.1.0 255.255.255.0 next edit " wan1" set associated-interface " wan1" set subnet 10.27.2.3 255.255.255.255 next edit " company_remote_pc_dhcp_range" set associated-interface " wan1" set subnet 10.27.3.0 255.255.255.0 next I authenticate the users through a radius server config user radius edit " jabba" set secret ENC <some funny password> set server " 10.27.1.53" next end that server is then a member of a group config user group edit " FSAE_Guest_Users" set group-type directory-service next edit " iVpn" set member " jabba" next end ipsec P1. config vpn ipsec phase1 edit " company_employee" set type dynamic set interface " wan1" set dpd disable set proposal des-md5 set xauthtype pap set mode aggressive set psksecret ENC <another funny password> set authusrgrp " iVpn" next end ipsec P2. config vpn ipsec phase2 edit " company_remote_pc" set phase1name " company_employee" set proposal des-md5 set dhcp-ipsec enable next end I made 2 policies. One to handle dhcp requests (id 2) and one to handle the traffic (id 3). config firewall policy edit 3 set srcintf " internal" set dstintf " wan1" set srcaddr " Internal net" set dstaddr " iNovacia_remote_pc_dhcp_range" set action ipsec set schedule " always" set service " ANY" set inbound enable set outbound enable set natinbound enable set vpntunnel " iNovacia_employee" next edit 2 set srcintf " wan1" set dstintf " wan1" set srcaddr " wan1" set dstaddr " all" set action ipsec set schedule " always" set service " DHCP" set inbound enable set outbound enable set vpntunnel " iNovacia_employee" next end Default router for internal network is the Zywall, there is a static route for 10.27.3.0/255.255.255.0 -> 10.27.1.3 Now to the problems. 1: To be able to have the vpn tunnel not going down, I cannot use DPD. Anyone knows why ? 2: And this is the biggest problem. On the FortiClient (4.0.2.57), if I specify " Acquire virtual IP address" and in the config I hardcode one address from the subnet I created in the dhcp (10.27.3.0) the tunnel comes up and everything works. But if I configure " DHCP over IPSec" , the client comes up, get one address from the dhcp server and then closes the tunnel. Can anyone shed some light on what I am missing for the DHCP over IPSec to work ? Thanks, Micke

    13 replies

    laf
    laf
    New Member
    July 3, 2009
    First of all assign another IP range for the DHCP clients. Second paste some errors you see on FortiClient or on Fortigate ;).
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 3, 2009
    a) for me it looks like the wan1 IP is a /32, so there is no room for the Zywall router. You didn' t mention his IP but it has to be on the 192.168.3.0/24 network. Pls Fix that and test again. b) I cannot see anything being wrong with the DHCP IP range. In my installations I use an IP range from the interface' s network, ie. - interface IP is 192.168.86.1/24 - DHCP range is 192.168.86.20-99/24 - DHCP gateway is the interface, .1 so clients do not have to arp for the gateway. This does not need a route either because the FGT knows the network as being " connected" (look into Router/Monitor). Ede
    A
    Anonymous_UserAuthor
    Contributor
    July 3, 2009
    Assigning another ip range: I changed the dhcp to release in the range of 10.27.30.2 - 10.27.30.50 But the same thing happens. Here is the output from debug # diag debug en # diag debug console timestamp en # diag debug app dhcps 7 # diag debug app ike 1 2009-07-03 14:15:24 [warn]got an interrupt 2009-07-03 14:15:36 [warn]Can' t locate subnet in shared network of packet and packet is not a DHCPREQUEST and htype(1) != intf htype(1)..dropping 2009-07-03 14:15:38 [warn]sck_receive_packet(): ioctl SIOCFWSESSION failed 2009-07-03 14:15:38 [note]DHCPDISCOVER from 00:09:6b:c2:b5:2e via wan1(IPSEC) 2009-07-03 14:15:39 [note]DHCPOFFER on 10.27.3.2 to 00:09:6b:c2:b5:2e via wan1(IPSEC) 2009-07-03 14:15:39 [note]DHCPREQUEST for 10.27.3.2 from 00:09:6b:c2:b5:2e via wan1(IPSEC) 2009-07-03 14:15:39 [note]DHCPACK on 10.27.3.2 to 00:09:6b:c2:b5:2e via wan1(IPSEC) 2009-07-03 14:15:40 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:ec688340 exchange-type Informational 2009-07-03 14:15:40 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:963a5729 exchange-type Quick 2009-07-03 14:15:45 [warn]Can' t locate subnet in shared network of packet and packet is not a DHCPREQUEST and htype(1) != intf htype(1)..dropping 2009-07-03 14:15:45 [warn]start dumping leases 2009-07-03 14:15:45 [warn]finished dumping dynamic ipmacs 2009-07-03 14:15:45 [warn]finished dumping all leases 2009-07-03 14:15:45 [warn]finish dumping 2009-07-03 14:15:50 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:963a5729 exchange-type Quick 2009-07-03 14:15:55 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:963a5729 exchange-type Quick 2009-07-03 14:15:59 [warn]Can' t locate subnet in shared network of packet and packet is not a DHCPREQUEST and htype(1) != intf htype(1)..dropping 2009-07-03 14:16:00 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:963a5729 exchange-type Quick 2009-07-03 14:16:05 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:963a5729 exchange-type Quick 2009-07-03 14:16:10 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:963a5729 exchange-type Quick 2009-07-03 14:16:15 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:963a5729 exchange-type Quick 2009-07-03 14:16:20 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:963a5729 exchange-type Quick 2009-07-03 14:16:24 [warn]got an interrupt 2009-07-03 14:16:25 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:963a5729 exchange-type Quick 2009-07-03 14:16:30 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:963a5729 exchange-type Quick 2009-07-03 14:16:30 0: no existing connection matching 90.227.126.130:1442->10.27.2.3 4 cookie 28ed7c77b4c03ea5/16c618edbf175a91:5766c6a7 exchange-type Informational 2009-07-03 14:16:40 [warn]Can' t locate subnet in shared network of packet and packet is not a DHCPREQUEST and htype(1) != intf htype(1)..dropping 2009-07-03 14:16:50 [warn]start dumping leases 2009-07-03 14:16:50 [warn]finished dumping dynamic ipmacs 2009-07-03 14:16:50 [warn]finished dumping all leases 2009-07-03 14:16:50 [warn]finish dumping ipconfig /all on pc before tunnel. C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : JANGO Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : Belkin Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Belkin Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti on Physical Address. . . . . . . . . : 00-09-6B-C2-B5-2E Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.2.3 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1 DHCP Server . . . . . . . . . . . : 192.168.2.1 DNS Servers . . . . . . . . . . . : 192.168.2.1 195.67.199.15 195.67.199.16 195.67.199.17 Lease Obtained. . . . . . . . . . : den 3 juli 2009 08:59:12 Lease Expires . . . . . . . . . . : den 4 juli 2009 08:59:12 After tunnel (or whatever state it is). C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : JANGO Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : Belkin inovacia.se Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Belkin Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti on Physical Address. . . . . . . . . : 00-09-6B-C2-B5-2E Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.2.3 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1 DHCP Server . . . . . . . . . . . : 192.168.2.1 DNS Servers . . . . . . . . . . . : 10.27.1.50 192.168.2.1 195.67.199.15 195.67.199.16 195.67.199.17 Lease Obtained. . . . . . . . . . : den 3 juli 2009 08:59:12 Lease Expires . . . . . . . . . . : den 4 juli 2009 08:59:12 Ethernet adapter Local Area Connection 7: Connection-specific DNS Suffix . : company.com Description . . . . . . . . . . . : Fortinet virtual adapter #4 Physical Address. . . . . . . . . : 00-09-0F-FE-00-01 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.27.3.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 10.27.2.3 DNS Servers . . . . . . . . . . . : 10.27.1.50 Lease Obtained. . . . . . . . . . : den 3 juli 2009 12:10:36 Lease Expires . . . . . . . . . . : den 10 juli 2009 12:10:36
    A
    Anonymous_UserAuthor
    Contributor
    July 3, 2009
    The ZyWall dmz port is 10.27.2.1, so the wan1 is on the same subnet. Changing the wan1 (the name, not the physical port) address in the firewall to 10.27.2.0 subnet does not help. Maybe it was a dum choice to have the name " wan1" when there also is a physical port with that name.
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 3, 2009
    Can' t locate subnet in shared network of packet and packet is not a DHCPREQUEST and htype(1) != intf htype(1)..dropping
    Fortigates drop packets that they don' t know! this is called " ip spoofing" prevention, search for it in the KC. As long as you get these messages your address setup is wrong.
    Changing the wan1 (the name, not the physical port)
    I didn' t understand this one. We are talking about real addresses not address table entries. What is the IP of port " wan1" , and what is the network mask length? As you see in the " ipconfig " output the client doesn' t have a gateway. Where does he send packets to foreign networks? Nowhere. Ede
    A
    Anonymous_UserAuthor
    Contributor
    July 3, 2009
    See the start of my post
    The wan1 interface has ip 10.27.2.3/255.255.255.0
    and
    edit " wan1" set associated-interface " wan1" set subnet 10.27.2.3 255.255.255.255
    All according to the vpn guide. Yes, I know it is dropping the packets, I can' t figure out what I am missing in the setup.
    A
    Anonymous_UserAuthor
    Contributor
    July 3, 2009
    First of all assign another IP range for the DHCP clients
    Do you mean any other range, or the one I have on my internal net ?
    A
    Anonymous_UserAuthor
    Contributor
    July 3, 2009
    You didn' t mention his IP but it has to be on the 192.168.3.0/24 network.
    I have no such subnet on my network or in my configuration, what do you mean ?
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 3, 2009
    this is a weird setup from the beginning... why do you assign from the .3 net on an interface in the .2 net? I just cannot see any good reason to do so. Shell out a range of IPs from the wan1 net, say .2.100-150. Except from the route you quoted the fw doesn' t know about the origin of the .3 net. If you would sniff on wan1 you' d see the packets' address when the fw drops it. But that is more complicated than straitening out your address scheme. so 1. re-configure the DHCP server 2. make sure that the DHCP server specifies the gateway .2.3. Not the internal port. 3. If you have configured the gateway check the client' s DHCP assignments. Gateway? 4. are there still packets dropped now? Ede
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 3, 2009
    192.168.3
    just to clarify...I meant the 10.27.3.x net (" the .3 net" in my last post).
    Show more replies
    Terms & ConditionsAccessibility statement