Hot!Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networks

Page: < 12 Showing page 2 of 2
Author
Cleyton
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/08 08:46:36
  • Status: offline
Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/05 13:01:48 (permalink)
0
Jirka
I configured my DHCP scopo on Windows according to your scenario, but the branch office does not receive ip from DHCP from headquarters.
I do not know what I'm doing wrong, VPN IPsec between fortigate connect perfectly.
In Static Routes I set up so that all branch traffic is sent to seat 0.0.0.0/0.
When creating the scopo in DHCP, is it necessary to do some additional configuration?
Do I have to put the DHCP server's IP address in the branch network interface in DHCP Relay?
Do I have to configure any static route in the branch for DHCP Relay to work?
see screen capture.
 

Attached Image(s)

#21
Jirka
Gold Member
  • Total Posts : 125
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/04/06 08:59:58 (permalink)
0
Hi,
If you have an ipsec with a default routing of 0.0.0.0/0, does it work at the Internet-site through FortiGate at HQ?
My route configuration is:
 
config router static
 
    edit 1
        set status enable
        set dst 0.0.0.0 0.0.0.0
        set gateway 193.86.xxx.xxx
        set distance 10
        set weight 0
        set priority 0
        set device "wan1"
        set comment ''
        set blackhole disable
        set dynamic-gateway disable
        set virtual-wan-link disable
        set dstaddr ''
        unset internet-service
        set internet-service-custom ''
        set link-monitor-exempt disable
        set bfd disable
    next
    edit 2
        set status enable
        set dst 0.0.0.0 0.0.0.0
        set distance 10
        set weight 0
        set priority 20
        set device "IPsec-HQ"
        set comment ''
        set blackhole disable
        set dynamic-gateway disable
        set dstaddr "0.0.0.0/0"
        set link-monitor-exempt disable
        set bfd disable
    next
    edit 3
        set status enable
        set dst 0.0.0.0 0.0.0.0
        set distance 254
        set weight 0
        set priority 0
        set comment ''
        set blackhole enable
        set dstaddr "0.0.0.0/0"
        set link-monitor-exempt disable
        set vrf 0
    next
    edit 4
        set status enable
        set dst 172.16.1.0 255.255.255.248 (firts DHCP server)
        set distance 10
        set weight 0
        set priority 9
        set device "IPsec-HQ"
        set comment ''
        set blackhole disable
        set dynamic-gateway disable
        set virtual-wan-link disable
        set link-monitor-exempt disable
        set bfd disable
    next
    edit 5
        set status enable
        set dst 172.27.1.0 255.255.255.248 (second DHCP server)
        set distance 10
        set weight 0
        set priority 9
        set device "IPsec-HQ"
        set comment ''
        set blackhole disable
        set dynamic-gateway disable
        set virtual-wan-link disable
        set link-monitor-exempt disable
        set bfd disable
--More-- next
end

 
Policy Routing (I need to use it because I have other networks behind FGT on the branch that I NATed directly into WAN.
 
edit 1
        set input-device "Branch-LAN"
        set srcaddr "172.17.5.0/24l"
        set src-negate disable
        set dstaddr "all"
        set dst-negate disable
        set action permit
        set protocol 0
        set gateway 0.0.0.0
        set output-device "IPsec-HQ"
        set tos 0x00
        set tos-mask 0x00
        set status enable
        set comments ''
    next
end

 
And DHCP Relay on LAN interface:
 
config system interface
    edit "Branch-LAN"
        set vdom "root"
        set vrf 0
        set mode static
        set dhcp-relay-service enable
        set ip 172.17.5.1 255.255.255.0
        set dhcp-relay-ip "172.16.1.2" "172.27.1.2"
        set dhcp-relay-type regular

 
Also, Policy must be set correctly.
post edited by Jirka - 2019/04/06 09:01:12
#22
Cleyton
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/08 08:46:36
  • Status: offline
Re: Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networ 2019/07/11 13:50:50 (permalink)
0
Caro Jirka
 
Sou muito grato pela ajuda, executo os procedimentos indicados e funciona perfeitamente.
Mas estou tentando direcionar todo o tráfego de Internet da filial para o túnel VPN e deixado pela WAN do HQ, é possível realizar essa configuração?
Eu tentei várias rotas estáticas e rotas através da política, e consegui.
O seu cenário é assim? todo o tráfego da Internet proveniente de suas filiais passa pelo túnel?
#23
Page: < 12 Showing page 2 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5