Configuring DHCP over VPN Remote Gateway

Select Remote Gateway from the DHCP over VPN drop-down menu.

Click Configure. The DHCP over VPN Configuration dialog displays.

In the General tab, the VPN policy name is automatically displayed in the Relay DHCP through this VPN Tunnel field if the VPN policy has the setting Local network obtains IP addresses using DHCP through this VPN Tunnel enabled.


	NOTE: Only VPN policies using IKE can be used as VPN tunnels for DHCP. The VPN tunnel must use IKE and the local network must be set appropriately. The local network obtains IP addresses using DHCP through this VPN Tunnel.

Select the interface the DHCP lease is bound from the DHCP lease bound to menu.

To accept DJCP requests from bridged WLAN interfaces, enable the Accept DHCP Request from bridged WLA interface checkbox.

If you enter an IP address in the Relay IP Address field, this IP address is used as the DHCP Relay Agent IP address (giaddr) in place of the Central Gateway’s address and must be reserved in the DHCP scope on the DHCP server. This address can also be used to manage this firewall remotely through the VPN tunnel from behind the Central Gateway.


	NOTE: The Relay IP address and Remote Management IP Address fields cannot be zero if management through the tunnel is required.

If you enter an IP address in the Remote Management IP Address field, this IP address is used to manage the firewall from behind the Central Gateway, and must be reserved in the DHCP scope on the DHCP server.

If you enable Block traffic through tunnel when IP spoof detected, the firewall blocks any traffic across the VPN tunnel that is spoofing an authenticated user’s IP address. If you have any static devices, however, you must ensure that the correct Ethernet address is typed for the device. The Ethernet address is used as part of the identification process, and an incorrect Ethernet address can cause the firewall to respond to IP spoofs.

If the VPN tunnel is disrupted, temporary DHCP leases can be obtained from the local DHCP server. Once the tunnel is again active, the local DHCP server stops issuing leases. Enable the Obtain temporary lease from local DHCP server if tunnel is down check box. By enabling this check box, you have a failover option in case the tunnel ceases to function.

If you want to allow temporary leases for a certain time period, type the number of minutes for the temporary lease in the Temporary Lease Time box. The default value is 2 minutes.

To configure devices on your LAN, click the Devices tab.

To configure Static Devices on the LAN, click Add to display the Add LAN Device Entry dialog.

Type the IP address of the device in the IP Address field and then type the Ethernet address of the device in the Ethernet Address field.

An example of a static device is a printer as it cannot obtain an IP lease dynamically. If you do not have Block traffic through tunnel when IP spoof detected enabled, it is not necessary to type the Ethernet address of a device. You must exclude the Static IP addresses from the pool of available IP addresses on the DHCP server so that the DHCP server does not assign these addresses to DHCP clients. You should also exclude the IP address used as the Relay IP Address. It is recommended to reserve a block of IP address to use as Relay IP addresses.

Click OK.

To exclude devices on your LAN, click Add to display the Add Excluded LAN Entry dialog.

Enter the MAC address of the device in the Ethernet Address field.

Click OK.

Click OK to exit the DHCP over VPN Configuration dialog.


	NOTE: You must configure the local DHCP server on the remote firewall to assign IP leases to these computers.


	NOTE: If a remote site has trouble connecting to a central gateway and obtaining a lease, verify that Deterministic Network Enhancer (DNE) is not enabled on the remote computer.


	TIP: If a static LAN IP address is outside of the DHCP scope, routing is possible to this IP, i.e. two LANs.