Having an issue with DHCP Relay not working over an IPSec tunnel.
I’ve found a few previous posts and tried suggestions there to no avail.
This is only a temporary setup for a few months, so don’t want to wasconte too much time on it, but would be nice to get working if possible. I’m currently using the DHCP server built-in to RouterOS on the “remote” site but would like to use the Windows 2008R2 DHCP server on the “main” site to serve the “remote” site via relay.
Setup is complicated by a bit of a “hack” I’ve had to do on the “remote” router to get the IPSec tunnel to come up, due to less than ideal config outside of my control.
Main site:
RB750 - PPPoE Client interface acts as gateway to Internet
Remote site:
RB750 - Ether1 interface acts as gateway configured as 192.168.0.250. This connects to another device which is 192.168.0.1 which then via NAT connects to the Internet.
To get the IPSec tunnel to come up, I have had to add the public IP address of the remote site into the RB750 as an additional IP address assigned to Ether1.
Default src-nat masquerade rule plus a src-nat rule of source 10.10.0.0/16 (remote site) destination 10.0.0.0/16 (one VLAN on main site) to ‘accept’.
Tried also adding a src-nat rule of source destination 10.0.0.0/16 src-nat to-address 10.10.0.254, didn’t work.
Any suggestions? As stated this is a temp setup only and will be redundant in a few months as this remote site will be replaced by another where a RB750GL will directly get a public IP via PPPoE client.
Bumping this as no replies and still haven’t managed to resolve…
I’ve also attempted to deploy on my new FTTC (VDSL) circuit and had the same issue and that is not behind another NAT router…
Is your site to site IPsec tunnel actually working?
How far have you got with the DHCP relay? You haven’t actually said what the problem with it is. Tried a packet capture on the destination server whilst a request is being made at the remote site?
Hello.
I’m new in this forum and I have a similar problem with dhcp relay and ipsec vpn.
I have a central dhcp server and dhcp relay in remote sites. I have a mikrotik routerboard RB2011iL-IN to make tests, but it is the same type of router we have in remote sites.
I think problem is that relay packet are nated in router:
Rule 1 is disabled. With this rule active problem persists. This rule is to not masquerade all traffic.
Rule 2 is to masquerade internet traffic.
Rule 0 is to not masquerade remote site traffic.
What source nat rule covering traffic going between each site do you configure?
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.233.0/24 dst-address=192.168.112.0/24 log=no log-prefix=“”
In this nat rule, source net is set. In dhcp request packet, source ip is not set.
Solution: nat rule with de destination address equal to dhcp server and action accept.