Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Enable DHCP/BOOTP Relay packets to be sent across an IPsec VPN tunnel

0

0

Article ID: KB20944 KB Last Updated: 12 Jul 2019Version: 5.0
Summary:
This article describes the required configuration to enable the SRX services gateway to send DHCP relay packets via an IPSec VPN tunnel.
Symptoms:
In certain scenarios, it might be required to send DHCP packets via an IPsec VPN tunnel. The DHCP server on the other side of the tunnel will then assign an IP address to the requester. By default, the SRX services gateway does not forward DHCP packets via IPsec tunnels. The configuration applies to the following Junos platforms and only route-based VPNs are supported. This scenario will not work for policy-based VPNs:
  • SRX100
  • SRX110
  • SRX210
  • SRX220
  • SRX240
  • SRX300
  • SRX320
  • SRX340
  • SRX345
  • SRX550
  • SRX550 HM
  • SRX650
Solution:

Configuration

The following example will configure a SRX device as a relay agent to forward incoming requests from BOOTP or DHCP clients to a BOOTP or DHCP server.  In this example, the DHCP server IP address is 192.168.1.2 and the VPN external interface is st0.0.
user@host# set forwarding-options helpers bootp relay-agent-option
user@host# set forwarding-options helpers bootp server 192.168.1.2
user@host# set forwarding-options helpers bootp maximum-hop-count 4
user@host# set forwarding-options helpers bootp minimum-wait-time 1
user@host# set forwarding-options helpers bootp vpn
user@host# set forwarding-options helpers bootp interface ge-0/0/0.0
(specify the incoming BOOTP or DHCP request forwarding interface as ge-0/0/0)
Specify DHCP as an allowed inbound service for the interfaces that are associated with DHCP:
user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

user@host# show forwarding-options
forwarding-options {
    helpers {
        bootp {
            relay-agent-option;
            server 192.168.1.1;
            maximum-hop-count 5;
            minimum-wait-time 2;
            vpn;
            interface {
                ge-0/0/0.0;
            }
        }
     }
 }
Verification:

To verify the DHCP relay configuration, use the following operational mode command:
user@host> show system services dhcp relay-statistics
Modification History:
2019-06-17: Product list updated.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search