Knowledge Search


×
 

[SRX] Enable DHCP/BOOTP Relay packets to be sent across an IPsec VPN tunnel

  [KB20944] Show Article Properties


Summary:
This article describes the required configuration to enable the SRX services gateway to send DHCP relay packets via an IPSec VPN tunnel.
Symptoms:
In certain scenarios, it might be required to send DHCP packets via an IPsec VPN tunnel. The DHCP server on the other side of the tunnel will then assign an IP address to the requester. By default, the SRX services gateway does not forward DHCP packets via IPsec tunnels. The configuration applies to the following Junos platforms and only route-based VPNs are supported. This scenario will not work for policy-based VPNs:
  • SRX100
  • SRX110
  • SRX210
  • SRX220
  • SRX240
  • SRX300
  • SRX320
  • SRX340
  • SRX345
  • SRX550
  • SRX550 HM
  • SRX650
Solution:

Configuration

The following example will configure a SRX device as a relay agent to forward incoming requests from BOOTP or DHCP clients to a BOOTP or DHCP server.  In this example, the DHCP server IP address is 192.168.1.2 and the VPN external interface is st0.0.
user@host# set forwarding-options helpers bootp relay-agent-option
user@host# set forwarding-options helpers bootp server 192.168.1.2
user@host# set forwarding-options helpers bootp maximum-hop-count 4
user@host# set forwarding-options helpers bootp minimum-wait-time 1
user@host# set forwarding-options helpers bootp vpn
user@host# set forwarding-options helpers bootp interface ge-0/0/0.0
(specify the incoming BOOTP or DHCP request forwarding interface as ge-0/0/0)
Specify DHCP as an allowed inbound service for the interfaces that are associated with DHCP:
user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

user@host# show forwarding-options
forwarding-options {
    helpers {
        bootp {
            relay-agent-option;
            server 192.168.1.1;
            maximum-hop-count 5;
            minimum-wait-time 2;
            vpn;
            interface {
                ge-0/0/0.0;
            }
        }
     }
 }
Verification:

To verify the DHCP relay configuration, use the following operational mode command:
user@host> show system services dhcp relay-statistics
Modification History:
2019-06-17: Product list updated.
Related Links: