Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuration Example - DHCP across a IPSec VPN tunnel

0

0

Article ID: KB23914 KB Last Updated: 24 Feb 2020Version: 2.0
Summary:

Configuration Example - DHCP across a IPSec VPN tunnel

Symptoms:

This article explains a scenario where the DHCP client and DHCP server are at two ends of the VPN tunnel. In this scenario the following configuration can be used to assign the IP to the client from the DHCP server.

Solution:

Requirements for this scenario: 

  1. Only route-based VPNs are supported. This scenerio will not work for policy-based VPNs.
  2. The firewall connected to the DHCP Client should act as a DHCP Relay Agent so that it can forward the Broadcast request from the client as a Unicast request across the tunnel.

A SRX is used as the DHCP Server and also DHCP Client. The configuration on each of the devices is as follows:


DHCP client

Below is the minimum configuration on the DHCP client (considering it a SRX/Jseries device):

system {
    host-name 6350-2;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}
security {
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                all;
            }
        }
    }
}

DHCP Relay Agent

The firewall connected to the client should act as a DHCP Relay agent. In this example, a SRX210 is used as the DHCP Relay agent:

system {
    host-name 210poe-2;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 2.2.2.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
forwarding-options {
    helpers {
        bootp {
            relay-agent-option;
            server 10.10.10.2;
            vpn;
            interface {
                ge-0/0/1.0;
            }
        }
    }
}
routing-options {
    static {
        route 10.10.10.0/24 next-hop st0.0;
    }
}
security {
    ike {
        traceoptions {
            flag all;
        }
        policy ike_policy {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
        }
        gateway ike_gateway {
            ike-policy ike_policy;
            address 2.2.2.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        policy ipsec_policy {
            proposal-set standard;
        }
        vpn ipsec_vpn {
            bind-interface st0.0;
            ike {
                gateway ike_gateway;
                ipsec-policy ipsec_policy;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                all;
            }
        }
    }
}

Firewall connected to server

The firewall connected to the DHCP Server has a general VPN configuration. No specific configuration is needed.

system {
    host-name 240-lm1;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 2.2.2.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.10.10.1/24;
            }
        }
    }
 
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 192.168.1.0/24 next-hop st0.0;
    }
}
security {
    ike {
        policy ike_policy {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
        }
        gateway ike_gateway {
            ike-policy ike_policy;
            address 2.2.2.2;
            external-interface ge-0/0/0.0;
        }

                   
    }
    ipsec {
        policy ipsec-policy {
            proposal-set standard;
        }
        vpn ipsec_vpn {
            bind-interface st0.0;
            ike {
                gateway ike_gateway;
                ipsec-policy ipsec-policy;
            }
            establish-tunnels immediately;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                all;
                  
            }
        }
    }
    policies {
        default-policy {
            permit-all;
        }
    }
}

DHCP Server

Below is the minimum configuration on the DHCP Server (a SRX device in this example):

system {
    host-name 240-lm2;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
    services {
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.20;
            }
        }
    }
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.10.10.2/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.10.10.1;
    }
}
security {
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                all;
            }
        }
    }
}
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search