Hot!Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networks

Page: 12 > Showing page 1 of 2
Author
Cleyton
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/08 08:46:36
  • Status: offline
2019/03/28 10:48:24 (permalink) 6.0
0

Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networks

I created a route-based ipsec VPN connection (as per https://cookbook.fortinet...pn-two-fortigates-56/) to allow transparent communication between two networks that are located behind two Different FortiGates.
80E FORTIGATE v6.0.4
50E FORTIGATE v6.0.4
Fortigate 80E (HQ) establish an ipsec connection with 50E (Branch).
Fortigate 80E
WAN 189.XX.XX.XX
Lan 192.168.254.109
HQ internal Network
192.168.254.0/24
DHCP Enabled
IP Initial IP End
192.168.254.100 192.168.254.254
config vpn ipsec phase1-interface
    edit "hq-to-branch"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        "VPN: hq-to-branch"
        set remote-gw 177.XXX.XXX.XXX
        set psksecret
    next
end
config vpn ipsec phase2-interface
    edit "hq-to-branch"
        set phase1name "hq-to-branch"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
        "VPN: hq-to-branch"
        set src-addr-type name
        set dst-addr-type name
        set src-name "hq-to-branch_local"
        set dst-name "hq-to-branch_remote"
    next
end
 
--------------------------------//---------------------------------------------





 
FortiGate 50E (Branch) establish an ipsec connection with 80E (HQ).
WAN 177.XXX.XXX.XXX
LAN 192.168.100.101
DHCP Disabled
Branch Internal Network
192.168.100.0/24
config vpn ipsec phase1-interface
    edit "branch-to-hq"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        "VPN: branch-to-hq"
        set remote-gw 189.XX.XX.XX
        psksecret set ENC
    next
end
config vpn ipsec phase2-interface
    edit "branch-to-hq"
        set phase1name "branch-to-hq"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
        "VPN: branch-to-hq"
        set src-addr-type name
        set dst-addr-type name
        set src-name "branch-to-hq_local"
        set dst-name "branch-to-hq_remote"
    next
end
Users on the HQ's internal network can access resources in the branch's internal network and vice versa.
But I want the HQ DHCP to assign ip addresses to the branch network that is in another subnet.
Would it be possible?
#1

22 Replies Related Threads

    rwpatterson
    Expert Member
    • Total Posts : 8390
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/03/28 12:15:12 (permalink)
    0
    You would need to place a DHCP helper on the LAN port of the remote site(s). This would intercept DHCP packets and forward them to the designated server(s) anywhere that traffic is permitted. I believe this is an option from the GUI.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #2
    Cleyton
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/08 08:46:36
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/03/28 12:40:14 (permalink)
    0
    Dear Bob
    would this DHCO helper work on the LAN port?
    How do I do this? could you explain better?
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8390
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/03/28 13:01:48 (permalink)
    0
    Can't paste an image...
    post edited by rwpatterson - 2019/03/28 13:25:43

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #4
    Cleyton
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/08 08:46:36
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/03/28 13:20:22 (permalink)
    0
    Dear rwpatterson
    Image you posted is not showing up.
    Could you post image navally?
    #5
    rwpatterson
    Expert Member
    • Total Posts : 8390
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/03/28 13:27:13 (permalink)
    0
    Sorry. Sidetracked by work. ;-)
     
    System > Network > DHCP Server
     
    Select the interface name, and in the window where it says Mode, select DHCP Relay, then fill in the blank.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #6
    Cleyton
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/08 08:46:36
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/03/28 13:44:03 (permalink)
    0
    Dear rwpatterson
    I did exactly as indicated, in the branch fortigate, I selected the LAN interface, clicked on DHCP Server, activated Relay mode, put DHCP Server (HQ) ip and marked ipsec type.
    but it did not work.

    Attached Image(s)

    #7
    ede_pfau
    Expert Member
    • Total Posts : 5986
    • Scores: 472
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/03/28 14:12:53 (permalink)
    0
    No, don't use the IPsec type, use Regular instead.
    IPsec DHCP is for assigning IPs to dial-in IPsec clients.
    In your case, you just want DHCP relay to work. The fact that the DHCP server is on the other side of a VPN tunnel is irrelevant here.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #8
    Cleyton
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/08 08:46:36
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/03/29 07:03:43 (permalink)
    0
    ede_pfau
    I checked "regular" DHCP Relay option, but it did not work, I'm wondering if the DHCP relay agent actually works in FortiGate, remembering that in my scenario, I have an IPsec VPN connection between doid fortigate (fortigate 80E and Fortigate 50E).
    Fortigate 80E is enabled with DHCP
    Fortigate 50E is enabled with DHCP relay agent on the LAN interface
    As attached image in post

    Attached Image(s)

    #9
    Jirka
    Gold Member
    • Total Posts : 123
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/03/29 08:37:28 (permalink)
    0
    Hello Cleyton,
    i think it can't work. You cannot assign an IP address from the HQ LAN range to the Branch LAN range. They are completely different networks. DHCP Relay works by sending IP address allocation queries from the range assigned to the interface.
    DHCP Relay works very well. We have built 13 branches. You can even enter multiple DHCP servers (we use DHCP on Windows Server and clustering).
     
    Jirka
    #10
    rwpatterson
    Expert Member
    • Total Posts : 8390
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/01 06:18:42 (permalink)
    0
    If the DHCP server (at HQ) is configured with a subnet for the remote network, it will work without issue. The relay agent takes care of the magic in the back end.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #11
    Jirka
    Gold Member
    • Total Posts : 123
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/01 08:42:19 (permalink)
    0
    rwpatterson
    If the DHCP server (at HQ) is configured with a subnet for the remote network, it will work without issue. The relay agent takes care of the magic in the back end.


    In this case, yes.
    But in the screenshot I see that DHCP on HQ allocates IP addresses from 254.0/24 and the branch office is 101.0/24. It cannot get an IP address from the HQ range at the branch office.
     
    Jirka
    #12
    Cleyton
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/08 08:46:36
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/01 10:55:35 (permalink)
    0
    In this case, in order for my HQ DHCP to assign ip to Branch, do they have to put Branch in the same HQ network range?
    In the current IPsec VPN configuration, the two fortigate subnetwork has different, as in the images sent before, have to redo my current VPN configuration and reconfigure created subnets overlapping?
    according to this tutorial:
    https://cookbook.fortinet...n-overlapping-subnets/
    #13
    Jirka
    Gold Member
    • Total Posts : 123
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/01 11:01:19 (permalink)
    0
    Cleyton
    In this case, in order for my HQ DHCP to assign ip to Branch, do they have to put Branch in the same HQ network range?
    In the current IPsec VPN configuration, the two fortigate subnetwork has different, as in the images sent before, have to redo my current VPN configuration and reconfigure created subnets overlapping?
    according to this tutorial:
    https://cookbook.fortinet...n-overlapping-subnets/




    Hi Cleyton,
    if you want a branch to have the same address range as the HQ I recommend using VXLAN: https://cookbook.fortinet.com/vxlan-over-ipsec-using-vtep-60/
     
    Jirka
    #14
    Cleyton
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/08 08:46:36
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/01 12:06:47 (permalink)
    0
    Jirka,
    in your previous post, you said that you built DHCP Relay with 13 branches, I found it very interesting, I would like to apply this solution in my scenario, could you give me more details?
    #15
    Jirka
    Gold Member
    • Total Posts : 123
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/01 12:20:03 (permalink)
    0
    I think it will not be a suitable scenario for you, but here it is:
     
    At headquarters we have 2x200E in HA. In DMZ, we have servers (Active Directory with DHCP and DNS, File Servers, etc.).
    At each branch is 60E, IPsec tunnel to the  headquarters (DR 0.0.0.0/0),
    DHCP Relay enabled on the LAN pointing to the DHCP server at the headquarters and hosting center (two DHCP servers can only be set via CLI).
    If it happens that the server on the HQ fails (technical problems, maintenance, etc.), the second DHCP in the hosting center takes over its function. Simple, rock-stable.
     
    Jirka
    #16
    rwpatterson
    Expert Member
    • Total Posts : 8390
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/01 13:27:26 (permalink)
    0
    Create the DHCP range for the remote devices in the HQ system. Use the remote subnet, gateway, mask, DNS, etc as though you were sitting at that remote location. What you put in there will be given out to every device at the remote location. Don't match the remote subnet to the HQ one. This will break way too many things and is (in my opinion) a really ****py idea.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #17
    Cleyton
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/08 08:46:36
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/02 09:53:22 (permalink)
    0
    very good Jirka
    This scenario will be suitable for me yes.
    Because I have a headquarters with 80E with the servers (Active Direcotry, DHCP, DNS and Database server).
    I have 6 branch, in each branch I will put 60E with ipsec tunel to be configuring.
    Initially I just want to have a DHCP run in the head office with DHCP Relay enabled on the branch pointing to the DHCP server from the head office.
    Analyzed its scenario, I think it would be possible to implement something similar in mine.
    Is your branch office on the same headquarters subnet, or are the branch offices on a different subnet?
    In the DHCP of the headquarters, did you create a DHCP or subnet scopo for each branch?
    Would it be possible to send a print of the screen, to see how you are setting your scenario?
    #18
    Cleyton
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/08 08:46:36
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/02 09:55:47 (permalink)
    0
    rwpatterson
    Are you suggesting that in DHCP from headquarters, I create a scopo or subnet for each branch?
    #19
    Jirka
    Gold Member
    • Total Posts : 123
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/02 10:04:01 (permalink)
    0
    Yes,
    Your guess is correct :)
    - each branch has its own subnet
    - the corresponding scope is created on DHCP for each branch - see screenshot
    - IPsec on branches is built in 0.0.0.0/0 - ie. all branch traffic is sent to HQ and managed by a central 200E (but this is not a condition)
     

     
    Jirka

    Attached Image(s)

    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5