Using DHCP with a Cisco VPN concentrator

Sat Jun 17 20:18:01 UTC 2006

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
I have tried with and without the network scope in the concentrator.
Without the network scope I see the relay agent IP address as 10.6.1.122
which is the PRIVATE interface on the concentrator.  With the network
scope configured for the group in the concentrator the relay agent IP
address changes to the network scope.  Snippets from the sniffer traces
below:

Without network scope:

Relay agent IP address: 10.6.1.122 (10.6.1.122)
Option 53: DHCP Message Type =3D DHCP Discover

With network scope:

Relay agent IP address: 10.20.5.0 (10.20.5.0)
Option 53: DHCP Message Type =3D DHCP Discover

If I understand you correctly, the network scope should be a routable
address back to the concentrator.  What I don't get is what the IP
address should be.  I was testing with scope 10.20.5.0 and that is what
the concentrator was sending to the DHCP server as a relay agent IP
address.  The only other address on the concentrator that is on the
internal network is the PRIVATE interface of 10.6.1.122.  The
implementation of how Cisco does DHCP on their concentrator leaves a lot
to be desired.  What have others used in the past besides DHCP? =20

-Patrick

On Sat, 2006-06-17 at 13:54 -0400, Karl Mueller wrote:

> >From what I've seen the cisco/altiga vpn concentrator will use whatever =
you
> fill-in for the DHCP Network Scope in the Group configuration, under the
> General tab for a proxy agent IP. If this isn't filled-in, the conc will =
use
> the IP of the inside interface, which may not be what you want.
> If your concentrator's on a different subnet than the DHCP server, be sur=
e
> to fill-out the DHCP network scope with a different in the group's config=
,
> routable IP address for each concentrator, since the DHCP server will try=
 to
> unicast a response back to the IP of the proxy agent (the IP you filled-i=
n
> under DHCP network scope) rather than the IP of the concentrator itself (=
I
> think this is broken behavior on the concentrator's side, rather than the
> DHCP server's)
>=20
> These concentrators have lots of quirks like that (like a semi-broken OSP=
F
> implementation).
>=20
> Cheers,
>=20
> Karl
>=20
>=20
> On 6/17/06, John Hascall <john at iastate.edu> wrote:
> >
> >
> > > I have been trying to get DHCP set up for (2) Cisco 3030 VPN
> > > concentrators.  I have confirmed that the configuration on the device=
s
> > > is correct but I am still not able to get an address from the DHCP
> > > server.  I think the issue may be how the DHCP address is being
> > > requested.  The VPN client are all on Windows XP and running the Cisc=
o
> > > VPN client.  Below is what I am seeing on the DHCP server when the
> > > request is being relayed via the VPN concentrator:
> > >
> > > Jun 16 19:03:05 scratchy dhcpd: DHCPDISCOVER from 00:03:a0:89:22:43 v=
ia
> > > 10.6.1.122: unknown network segment
> >   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > > I think the problem is the multiple DHCPDISCOVER requests coming from
> > > the concentrator / VPN client.  Below is a section from a Microsoft
> > > support site:   ...
> >
> >     I strongly doubt this has anything to do with you problem.
> >
> >     The error message you are getting says that your DHCP server
> >     knows nothing about 10.6.1.122 -- the address the requests
> >     are coming from (which is presumably your VPN Conc).
> >
> >     You need to have an appropriate subnet definition in
> >     your dhcpd.conf file which includes that address.
> >     I do not know what your subnet mask is, but perhaps
> >     one of these:
> >
> >          subnet 10.6.1.0 netmask 255.255.255.0 {
> >          }
> >     or:
> >          subnet 10.6.0.0 netmask 255.255.0.0 {
> >          }
> >     or:
> >          subnet 10.0.0.0 netmask 255.0.0.0 {
> >          }
> >
> > John
> >
> >
>=20
>=20