icon. The operation takes a few seconds to complete. Once completed, a message confirming the update is displayed at the bottom of the Web browser window. Click Delete All to delete all VPN leases. VPN_dhcpRelayView
The VPN > DHCP over VPN page allows you to configure a firewall to obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space. This facilitates IP address administration for the networks using VPN tunnels.
Topics:
• Configuring the Central Gateway for DHCP Over VPN
• Configuring DHCP over VPN Remote Gateway
• Current DHCP over VPN Leases
The firewall at the remote and central sites are configured for VPN tunnels for initial DHCP traffic as well as subsequent IP traffic between the sites. The firewall at the remote site (Remote Gateway) passes DHCP broadcast packets through its VPN tunnel. The firewall at the central site (Central Gateway) relays DHCP packets from the client on the remote network to the DHCP server on the central site.
Configuring the Central Gateway for DHCP Over VPN
To configure DHCP over VPN for the Central Gateway, use the following steps:
1. Select VPN > DHCP over VPN.
2. Select Central Gateway from the DHCP over VPN drop-down menu.
3. Click Configure. The DHCP over VPN Configuration window is displayed.
4. Select one of the following
• If you want to use the DHCP Server for global VPN clients or for a remote firewall or for both, select the Use Internal DHCP Server option.
a. You can also select either or both of these:
: •: To use the DHCP Server for global VPN clients, select the For Global VPN Clients option.
: •: To use the DHCP Server for a remote firewall, select the Remote Firewall option.
• If you want to send DHCP requests to specific servers, select Send DHCP requests to the server addresses listed below.
a. Click Add. The Add DHCP Server window is displayed.
b. Type the IP addresses of DHCP servers in the IP Address field.
c. Click OK. The firewall now directs DHCP requests to the specified servers.
4. Type the IP address of a relay server in the Relay IP Address (Optional) field.
When set, this IP address is used as the DHCP Relay Agent IP address (giaddr) in place of this SonicWALL’s LAN IP address. This address is only used when no Relay IP Address has been set on the Remote Gateway, and must be reserved in the DHCP scope on the DHCP server.
5. Click OK.
Configuring DHCP over VPN Remote Gateway
1. Select Remote Gateway from the DHCP over VPN drop-down menu.
2. Click Configure. The DHCP over VPN Configuration window is displayed.
3. In the General tab, the VPN policy name is automatically displayed in the Relay DHCP through this VPN Tunnel field if the VPN policy has the setting Local network obtains IP addresses using DHCP through this VPN Tunnel enabled.
Note Only VPN policies using IKE can be used as VPN tunnels for DHCP. The VPN tunnel must use IKE and the local network must be set appropriately. The local network obtains IP addresses using DHCP through this VPN Tunnel.
4. Select the interface the DHCP lease is bound from the DHCP lease bound to menu.
5. To accept DJCP requests from bridged WLAN interfaces, enable the Accept DJCP Request from bridged WLA interface checkbox.
6. If you enter an IP address in the Relay IP Address field, this IP address is used as the DHCP Relay Agent IP address (giaddr) in place of the Central Gateway’s address and must be reserved in the DHCP scope on the DHCP server. This address can also be used to manage this firewall remotely through the VPN tunnel from behind the Central Gateway.
Note The Relay IP address and Remote Management IP Address fields cannot be zero if management through the tunnel is required.
7. If you enter an IP address in the Remote Management IP Address field, this IP address is used to manage the firewall from behind the Central Gateway, and must be reserved in the DHCP scope on the DHCP server.
8. If you enable Block traffic through tunnel when IP spoof detected, the firewall blocks any traffic across the VPN tunnel that is spoofing an authenticated user’s IP address. If you have any static devices, however, you must ensure that the correct Ethernet address is typed for the device. The Ethernet address is used as part of the identification process, and an incorrect Ethernet address can cause the firewall to respond to IP spoofs.
9. If the VPN tunnel is disrupted, temporary DHCP leases can be obtained from the local DHCP server. Once the tunnel is again active, the local DHCP server stops issuing leases. Enable the Obtain temporary lease from local DHCP server if tunnel is down check box. By enabling this check box, you have a failover option in case the tunnel ceases to function.
10. If you want to allow temporary leases for a certain time period, type the number of minutes for the temporary lease in the Temporary Lease Time box. The default value is 2 minutes.
11. To configure devices on your LAN, click the Devices tab.
12. To configure Static Devices on the LAN, click Add to display the Add LAN Device Entry window.
13. Type the IP address of the device in the IP Address field and then type the Ethernet address of the device in the Ethernet Address field.
An example of a static device is a printer as it cannot obtain an IP lease dynamically. If you do not have Block traffic through tunnel when IP spoof detected enabled, it is not necessary to type the Ethernet address of a device. You must exclude the Static IP addresses from the pool of available IP addresses on the DHCP server so that the DHCP server does not assign these addresses to DHCP clients. You should also exclude the IP address used as the Relay IP Address. It is recommended to reserve a block of IP address to use as Relay IP addresses.
14. Click OK.
15. To exclude devices on your LAN, click Add to display the Add Excluded LAN Entry window.
16. Enter the MAC address of the device in the Ethernet Address field.
17. Click OK.
18. Click OK to exit the DHCP over VPN Configuration window.
Note You must configure the local DHCP server on the remote firewall to assign IP leases to these computers.
Note If a remote site has trouble connecting to a central gateway and obtaining a lease, verify that Deterministic Network Enhancer (DNE) is not enabled on the remote computer.
Tip If a static LAN IP address is outside of the DHCP scope, routing is possible to this IP, i.e. two LANs.
The Current DHCP over VPN Leases table is a scrolling window that shows the details on the current bindings: IP Address, Host Name, Ethernet Address, Lease Time, and Tunnel Name. The last column in the table, Configure, enables you to configure or delete a table entry (binding).
To edit a binding, click Edit. To delete a binding, which frees the IP address in the DHCP server, select the binding from the list, and then click the Delete icon. The operation takes a few seconds to complete. Once completed, a message confirming the update is displayed at the bottom of the Web browser window. Click Delete All to delete all VPN leases.