Using DHCP with a Cisco VPN concentrator

Sun Jun 18 03:39:36 UTC 2006

I agree, the (Altiga) is pretty clumsy at DHCP. The workaround I did was to
put an IP, rather than a network address in the network scope address. In
your case, put 10.20.5.10 (or another unused IP in that range), then set a
host (/32) route in the router between the concentrator and DHCP server for
that IP, pointing to the IP of the VPN concentrator's private interface as
the next hop.
In this case,  you'd do something like "ip route 10.20.5.10 255.255.255.255
10.6.1.122" in the router that's directly connected to the concentrator's
private interface (doesn't work with an interface route, the concentrator
doesn't actually answer arp queries for the IP, but for some reason it does
accept the packet). Also note that you need to use a different IP address
for each concentrator, so use 10.20.5.11 for your secondary conc and set
another /32 route pointing to his private interface as the next hop.

This works, but it's a terrible hack, but it does allow you to have one pool
for both concentrators, assuming you're using reverse route injection (and
if you are, you could actually set a holddown route for the IP you put in
the network scope address and have the concentrator inject it for you,
rather than using a static route on the router)

If you want to discuss further, we should probably take this off-list since
it's not technically ISC-dhcpd related :)

-Karl

On 6/17/06, Patrick Topping <patrick.topping at hypermediasystems.com> wrote:
>
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
> I have tried with and without the network scope in the concentrator.
> Without the network scope I see the relay agent IP address as 10.6.1.122
> which is the PRIVATE interface on the concentrator.  With the network
> scope configured for the group in the concentrator the relay agent IP
> address changes to the network scope.  Snippets from the sniffer traces
> below:
>
> Without network scope:
>
> Relay agent IP address: 10.6.1.122 (10.6.1.122)
> Option 53: DHCP Message Type =3D DHCP Discover
>
> With network scope:
>
> Relay agent IP address: 10.20.5.0 (10.20.5.0)
> Option 53: DHCP Message Type =3D DHCP Discover
>
> If I understand you correctly, the network scope should be a routable
> address back to the concentrator.  What I don't get is what the IP
> address should be.  I was testing with scope 10.20.5.0 and that is what
> the concentrator was sending to the DHCP server as a relay agent IP
> address.  The only other address on the concentrator that is on the
> internal network is the PRIVATE interface of 10.6.1.122.  The
> implementation of how Cisco does DHCP on their concentrator leaves a lot
> to be desired.  What have others used in the past besides DHCP? =20
>
> -Patrick
>
>
>
>
> On Sat, 2006-06-17 at 13:54 -0400, Karl Mueller wrote:
>
> > >From what I've seen the cisco/altiga vpn concentrator will use whatever
> =
> you
> > fill-in for the DHCP Network Scope in the Group configuration, under the
> > General tab for a proxy agent IP. If this isn't filled-in, the conc will
> =
> use
> > the IP of the inside interface, which may not be what you want.
> > If your concentrator's on a different subnet than the DHCP server, be
> sur=
> e
> > to fill-out the DHCP network scope with a different in the group's
> config=
> ,
> > routable IP address for each concentrator, since the DHCP server will
> try=
> to
> > unicast a response back to the IP of the proxy agent (the IP you
> filled-i=
> n
> > under DHCP network scope) rather than the IP of the concentrator itself
> (=
> I
> > think this is broken behavior on the concentrator's side, rather than
> the
> > DHCP server's)
> >=20
> > These concentrators have lots of quirks like that (like a semi-broken
> OSP=
> F
> > implementation).
> >=20
> > Cheers,
> >=20
> > Karl
> >=20
> >=20
> > On 6/17/06, John Hascall <john at iastate.edu> wrote:
> > >
> > >
> > > > I have been trying to get DHCP set up for (2) Cisco 3030 VPN
> > > > concentrators.  I have confirmed that the configuration on the
> device=
> s
> > > > is correct but I am still not able to get an address from the DHCP
> > > > server.  I think the issue may be how the DHCP address is being
> > > > requested.  The VPN client are all on Windows XP and running the
> Cisc=
> o
> > > > VPN client.  Below is what I am seeing on the DHCP server when the
> > > > request is being relayed via the VPN concentrator:
> > > >
> > > > Jun 16 19:03:05 scratchy dhcpd: DHCPDISCOVER from 00:03:a0:89:22:43
> v=
> ia
> > > > 10.6.1.122: unknown network segment
> > >   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > >
> > > > I think the problem is the multiple DHCPDISCOVER requests coming
> from
> > > > the concentrator / VPN client.  Below is a section from a Microsoft
> > > > support site:   ...
> > >
> > >     I strongly doubt this has anything to do with you problem.
> > >
> > >     The error message you are getting says that your DHCP server
> > >     knows nothing about 10.6.1.122 -- the address the requests
> > >     are coming from (which is presumably your VPN Conc).
> > >
> > >     You need to have an appropriate subnet definition in
> > >     your dhcpd.conf file which includes that address.
> > >     I do not know what your subnet mask is, but perhaps
> > >     one of these:
> > >
> > >          subnet 10.6.1.0 netmask 255.255.255.0 {
> > >          }
> > >     or:
> > >          subnet 10.6.0.0 netmask 255.255.0.0 {
> > >          }
> > >     or:
> > >          subnet 10.0.0.0 netmask 255.0.0.0 {
> > >          }
> > >
> > > John
> > >
> > >
> >=20
> >=20
>
>
>
>
>

-- 
Karl Mueller CCNP MCSE
Network Engineer
703 946 6638