Page 1 of 1

Problem with DHCP Relay & IPSec

Posted: Sat Mar 14, 2015 5:54 pm
by sjoram
Having an issue with DHCP Relay not working over an IPSec tunnel.
I've found a few previous posts and tried suggestions there to no avail.
This is only a temporary setup for a few months, so don't want to wasconte too much time on it, but would be nice to get working if possible. I'm currently using the DHCP server built-in to RouterOS on the "remote" site but would like to use the Windows 2008R2 DHCP server on the "main" site to serve the "remote" site via relay.

Setup is complicated by a bit of a "hack" I've had to do on the "remote" router to get the IPSec tunnel to come up, due to less than ideal config outside of my control.

Main site:
RB750 - PPPoE Client interface acts as gateway to Internet

Remote site:
RB750 - Ether1 interface acts as gateway configured as 192.168.0.250. This connects to another device which is 192.168.0.1 which then via NAT connects to the Internet.
To get the IPSec tunnel to come up, I have had to add the public IP address of the remote site into the RB750 as an additional IP address assigned to Ether1.

Default src-nat masquerade rule plus a src-nat rule of source 10.10.0.0/16 (remote site) destination 10.0.0.0/16 (one VLAN on main site) to 'accept'.
Tried also adding a src-nat rule of source <remote site public IP> destination 10.0.0.0/16 src-nat to-address 10.10.0.254, didn't work.

Any suggestions? As stated this is a temp setup only and will be redundant in a few months as this remote site will be replaced by another where a RB750GL will directly get a public IP via PPPoE client.

Re: Problem with DHCP Relay & IPSec

Posted: Sat May 02, 2015 9:53 pm
by sjoram
Bumping this as no replies and still haven't managed to resolve...
I've also attempted to deploy on my new FTTC (VDSL) circuit and had the same issue and that is not behind another NAT router....

Re: Problem with DHCP Relay & IPSec

Posted: Sun May 03, 2015 12:18 pm
by troffasky
Is your site to site IPsec tunnel actually working?
How far have you got with the DHCP relay? You haven't actually said what the problem with it is. Tried a packet capture on the destination server whilst a request is being made at the remote site?

Re: Problem with DHCP Relay & IPSec

Posted: Sun May 03, 2015 1:31 pm
by sjoram
Yes the IPSec tunnel is working. Packet capture on the DHCP server doesn't show any DHCP packets originating from the remote network.

Re: Problem with DHCP Relay & IPSec

Posted: Sat May 16, 2015 10:26 pm
by sjoram
**Edited**

This is now resolved and was the result of a couple of configuration screw ups.

Namely, DHCP snooping on switch at main site & Source NAT rule covering traffic going between each site.

Re: Problem with DHCP Relay & IPSec

Posted: Mon May 18, 2015 1:39 pm
by manelfl
Hello.
I'm new in this forum and I have a similar problem with dhcp relay and ipsec vpn.

I have a central dhcp server and dhcp relay in remote sites. I have a mikrotik routerboard RB2011iL-IN to make tests, but it is the same type of router we have in remote sites.

I think problem is that relay packet are nated in router:

0 time=174.501 num=1 direction=rx interface=ether2
src-address=0.0.0.0:68 (bootpc) dst-address=255.255.255.255:67 (bootps)
protocol=ip ip-protocol=udp size=328 cpu=0 ip-packet-size=328
ip-header-size=20 dscp=4 identification=0 fragment-offset=0 ttl=128

1 time=174.502 num=2 direction=tx interface=pppoe-out1
src-address=2.139.155.188:67 (bootps)
dst-address=192.168.112.11:67 (bootps) protocol=ip ip-protocol=udp
size=328 cpu=0 ip-packet-size=328 ip-header-size=20 dscp=0
identification=0 fragment-offset=0 ttl=64



I don't understand why:

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.233.0/24 dst-address=192.168.112.0/24 log=no log-prefix=""

1 X chain=srcnat action=accept log=no log-prefix=""

2 ;;; default configuration
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=""


Rule 1 is disabled. With this rule active problem persists. This rule is to not masquerade all traffic.
Rule 2 is to masquerade internet traffic.
Rule 0 is to not masquerade remote site traffic.

What source nat rule covering traffic going between each site do you configure?

Thank you in advance for your help!

**Edited**

This is now resolved and was the result of a couple of configuration screw ups.

Namely, DHCP snooping on switch at main site & Source NAT rule covering traffic going between each site.

Re: Problem with DHCP Relay & IPSec

Posted: Thu May 24, 2018 5:38 pm
by manelfl
Hi.
I found the problem.

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.233.0/24 dst-address=192.168.112.0/24 log=no log-prefix=""


In this nat rule, source net is set. In dhcp request packet, source ip is not set.
Solution: nat rule with de destination address equal to dhcp server and action accept.


Hello.
I'm new in this forum and I have a similar problem with dhcp relay and ipsec vpn.

I have a central dhcp server and dhcp relay in remote sites. I have a mikrotik routerboard RB2011iL-IN to make tests, but it is the same type of router we have in remote sites.

I think problem is that relay packet are nated in router:

0 time=174.501 num=1 direction=rx interface=ether2
src-address=0.0.0.0:68 (bootpc) dst-address=255.255.255.255:67 (bootps)
protocol=ip ip-protocol=udp size=328 cpu=0 ip-packet-size=328
ip-header-size=20 dscp=4 identification=0 fragment-offset=0 ttl=128

1 time=174.502 num=2 direction=tx interface=pppoe-out1
src-address=2.139.155.188:67 (bootps)
dst-address=192.168.112.11:67 (bootps) protocol=ip ip-protocol=udp
size=328 cpu=0 ip-packet-size=328 ip-header-size=20 dscp=0
identification=0 fragment-offset=0 ttl=64



I don't understand why:

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.233.0/24 dst-address=192.168.112.0/24 log=no log-prefix=""

1 X chain=srcnat action=accept log=no log-prefix=""

2 ;;; default configuration
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=""


Rule 1 is disabled. With this rule active problem persists. This rule is to not masquerade all traffic.
Rule 2 is to masquerade internet traffic.
Rule 0 is to not masquerade remote site traffic.

What source nat rule covering traffic going between each site do you configure?

Thank you in advance for your help!

**Edited**

This is now resolved and was the result of a couple of configuration screw ups.

Namely, DHCP snooping on switch at main site & Source NAT rule covering traffic going between each site.