Using DHCP with a Cisco VPN concentrator

Patrick Topping patrick.topping at hypermediasystems.com
Mon Jun 19 18:21:50 UTC 2006


Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Karl,

I appreciate your help on this.  The way Cisco is doing DHCP is a
freakin' mess.  I cannot believe that the concentrator does not forward
the client's MAC address to the DHCP server and that it does not set the
relay agent IP address to its PRIVATE interface. =20

Let me explain what I am trying to accomplish.  I would like to see if
you are doing the same thing and what your working configuration may be.
We would like to start setting up address ranges per group.  We would
then like to start restricting network access based on those user
groups' pre-assigned network ranges.  That would be step one.  The next
step would most likely involve an application like Cisco ACS.  What we
would then like to do is add on hosts based restriction per TCP/UDP
port.  I am sure that Cisco ACS is capable of this but have not tested
it to be sure.

So that is the 50,000 foot view of what I am trying to accomplish.  Are
you doing anything similar and if so, how are you accomplishing it?
Thanks.

-Patrick

----------------------

On Sat, 2006-06-17 at 23:39 -0400, Karl Mueller wrote:

> I agree, the (Altiga) is pretty clumsy at DHCP. The workaround I did was =
to
> put an IP, rather than a network address in the network scope address. In
> your case, put 10.20.5.10 (or another unused IP in that range), then set =
a
> host (/32) route in the router between the concentrator and DHCP server f=
or
> that IP, pointing to the IP of the VPN concentrator's private interface a=
s
> the next hop.
> In this case,  you'd do something like "ip route 10.20.5.10 255.255.255.2=
55
> 10.6.1.122" in the router that's directly connected to the concentrator's
> private interface (doesn't work with an interface route, the concentrator
> doesn't actually answer arp queries for the IP, but for some reason it do=
es
> accept the packet). Also note that you need to use a diffent IP address
> for each concentrator, so use 10.20.5.11 for your secondary conc and set
> another /32 route pointing to his private interface as the next hop.
>=20
> This works, but it's a terrible hack, but it does allow you to have one p=
ool
> for both concentrators, assuming you're using reverse route injection (an=
d
> if you are, you could actually set a holddown route for the IP you put in
> the network scope address and have the concentrator inject it for you,
> rather than using a static route on the router)
>=20
> If you want to discuss further, we should probably take this off-list sin=
ce
> it's not technically ISC-dhcpd related :)
>=20
> -Karl
>=20
> On 6/17/06, Patrick Topping <patrick.topping at hypermediasystems.com> wrote=
:
> >
> > Content-Type: text/plain
> > Content-Transfer-Encoding: quoted-printable
> > I have tried with and without the network scope in the concentrator.
> > Without the network scope I see the relay agent IP address as 10.6.1.12=
2
> > which is the PRIVATE interface on the concentrator.  With the network
> > scope configured for the group in the concentrator the relay agent IP
> > address changes to the network scope.  Snippets from the sniffer traces
> > below:
> >
> > Without network scope:
> >
> > Relay agent IP address: 10.6.1.122 (10.6.1.122)
> > Option 53: DHCP Message Type =3D3D DHCP Discover
> >
> > With network scope:
> >
> > Relay agent IP address: 10.20.5.0 (10.20.5.0)
> > Option 53: DHCP Message Type =3D3D DHCP Discover
> >
> > If I understand you correctly, the network scope should be a routable
> > address back to the concentrator.  What I don't get is what the IP
> > address should be.  I was testing with scope 10.20.5.0 and that is what
> > the concentrator was sending to the DHCP server as a relay agent IP
> > address.  The only other address on the concentrator that is on the
> > internal network is the PRIVATE interface of 10.6.1.122.  The
> > implementation of how Cisco does DHCP on their concentrator leaves a lo=
t
> > to be desired.  What have others used in the past besides DHCP? =3D20
> >
> > -Patrick
> >
> >
> >
> >
> > On Sat, 2006-06-17 at 13:54 -0400, Karl Mueller wrote:
> >
> > > >From what I've seen the cisco/altiga vpn concentrator will use whate=
ver
> > =3D
> > you
> > > fill-in for the DHCP Network Scope in the Group configuration, under =
the
> > > General tab for a proxy agent IP. If this isn't filled-in, the conc w=
ill
> > =3D
> > use
> > > the IP of the inside interface, which may not be what you want.
> > > If your concentrator's on a different subnet than the DHCP server, be
> > sur=3D
> > e
> > > to fill-out the DHCP network scope with a different in the group's
> > config=3D
> > ,
> > > routable IP address for each concentrator, since the DHCP server will
> > try=3D
> > to
> > > unicast a response back to the IP of the proxy agent (the IP you
> > filled-i=3D
> > n
> > > under DHCP network scope) rather than the IP of the concentrator itse=
lf
> > (=3D
> > I
> > > think this is broken behavior on the concentrator's side, rather than
> > the
> > > DHCP server's)
> > >=3D20
> > > These concentrators have lots of quirks like that (like a semi-broken
> > OSP=3D
> > F
> > > implementation).
> > >=3D20
> > > Cheers,
> > >=3D20
> > > Karl
> > >=3D20
> > >=3D20
> > > On 6/17/06, John Hascall <john at iastate.edu> wrote:
> > > >
> > > >
> > > > > I have been trying to get DHCP set up for (2) Cisco 3030 VPN
> > > > > concentrators.  I have confirmed that the configuration on the
> > device=3D
> > s
> > > > > is correct but I am still not able to get an address from the DHC=
P
> > > > > server.  I think the issue may be how the DHCP address is being
> > > > > requested.  The VPN client are all on Windows XP and running the
> > Cisc=3D
> > o
> > > > > VPN client.  Below is what I am seeing on the DHCP server when th=
e
> > > > > request is being relayed via the VPN concentrator:
> > > > >
> > > > > Jun 16 19:03:05 scratchy dhcpd: DHCPDISCOVER from 00:03:a0:89:22:=
43
> > v=3D
> > ia
> > > > > 10.6.1.122: unknown network segment
> > > >   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > >
> > > > > I think the problem is the multiple DHCPDISCOVER requests coming
> > from
> > > > > the concentrator / VPN client.  Below is a section from a Microso=
ft
> > > > > support site:   ...
> > > >
> > > >     I strongly doubt this has anything to do with you problem.
> > > >
> > > >     The error message you are getting says that your DHCP server
> > > >     knows nothing about 10.6.1.122 -- the address the requests
> > > >     are coming from (which is presumably your VPN Conc).
> > > >
> > > >     You need to have an appropriate subnet definition in
> > > >     your dhcpd.conf file which includes that address.
> > > >     I do not know what your subnet mask is, but perhaps
> > > >     one of these:
> > > >
> > > >          subnet 10.6.1.0 netmask 255.255.255.0 {
> > > >          }
> > > >     or:
> > > >          subnet 10.6.0.0 netmask 255.255.0.0 {
> > > >          }
> > > >     or:
> > > >          subnet 10.0.0.0 netmask 255.0.0.0 {
> > > >          }
> > > >
> > > > John
> > > >
> > > >
> > >=3D20
> > >=3D20
> >
> >
> >
> >
> >
>=20
>=20





More information about the dhcp-users mailing list