Re: dhcp relay via gre over ipsec

dimitri.matata · ‎12-04-2024

Hello everyone,

NOTE: I have already looked at various suggestions in the forum but nothing helped me

I’m facing an issue where the FastEthernet0/1 interface on my router (R4) is not able to obtain an IP address via DHCP. Here’s the setup:

Topology:

I have two routers connected via a GRE/IPsec tunnel.
R3 acts as the DHCP server.
R4 acts as the DHCP relay and has ip helper-address configured on FastEthernet0/1.
R4 Configuration Highlights:

FastEthernet0/1 is configured with ip address dhcp and ip helper-address pointing to the R3 Tunnel0 interface.
Tunnel0 on both routers is configured with static IPs: 10.10.10.1/30 (R3) and 10.10.10.2/30 (R4).
The DHCP server on R3 has a pool for the network 192.168.100.0/24, which is the intended network for FastEthernet0/1 on R4.
Observations:

The GRE tunnel is operational. I can ping between the tunnel interfaces (10.10.10.1 <-> 10.10.10.2) and other connected interfaces.
When I enable DHCP debug (debug dhcp detail) on R4, I see the router sending DHCP Discover packets, but it never receives a DHCP Offer.
On R3, with DHCP server debug enabled (debug ip dhcp server packets), I don’t see any packets arriving from R4.
What I’ve tried so far:

Verified that the ACLs allow UDP traffic on ports 67 and 68.
Ensured routing is configured correctly between the networks.
Tested connectivity across the tunnel with static IPs (it works).
Confirmed the DHCP pool configuration on R3.
Checked that service dhcp is enabled on R3.
Questions:

Is there any additional configuration required on R3 or R4 to make DHCP relay work over a GRE/IPsec tunnel?
Could IPsec be interfering with the forwarding of DHCP packets (e.g., ESP encapsulation)?
What additional steps can I take to troubleshoot or resolve this issue?
Any advice or guidance would be greatly appreciated. Below are relevant configuration snippet

R3#show running-config

ip dhcp excluded-address 192.168.100.1
ip dhcp pool DHCP_TEST
   network 192.168.100.0 255.255.255.0
   dns-server 8.8.8.8
   default-router 192.168.100.1
   lease 7



crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key redhat address 192.168.1.2
!
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile naranomenuovo
 set transform-set TSET
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set TSET
 match address 101
!

interface Tunnel0
 ip address 10.10.10.1 255.255.255.252
 tunnel source Serial0/0
 tunnel destination 192.168.1.2
 tunnel protection ipsec profile naranomenuovo
!

interface Serial0/0
 ip address 192.168.1.1 255.255.255.0
 clock rate 2000000
!

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 10.10.10.0 255.255.255.252 Tunnel0
ip route 192.168.100.0 255.255.255.0 10.10.10.2

access-list 101 permit gre any any
access-list 101 permit icmp any any
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any

and R4

R4#show running-config
Building configuration...

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key redhat address 192.168.1.1
!
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile naranomenuovo
 set transform-set TSET
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set TSET
 match address 101
!
!
!
!
interface Tunnel0
 ip address 10.10.10.2 255.255.255.252
 tunnel source Serial0/0
 tunnel destination 192.168.1.1
 tunnel protection ipsec profile naranomenuovo
!
interface FastEthernet0/0
 ip address 200.10.10.2 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface Serial0/0
 ip address 192.168.1.2 255.255.255.0
 ip helper-address 10.10.10.1
 clock rate 2000000
!
interface FastEthernet0/1
 ip address dhcp
 ip helper-address 10.10.10.1
 


ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.10.10.0 255.255.255.252 Tunnel0
ip route 192.168.1.0 255.255.255.0 10.10.10.1
ip route 192.168.10.0 255.255.255.0 Tunnel0

access-list 101 permit gre any any
access-list 101 permit icmp any any
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any

MHM Cisco World · ‎12-04-2024

interface FastEthernet0/1
 ip address dhcp
 ip helper-address 10.10.10.1

This even not work if you not use GRE.

This Interface must have IP in same subnet of dhcp pool

And ip helper is use to make endpoint get IP from dhcp server not router itself

MHM

dimitri.matata · ‎12-04-2024

thank you very much for your reply.

But my idea is that the fast0/1 port of R4 must get ip via dhcp, because this is a scenario related to an IoT infrastructure.

MHM Cisco World · ‎12-04-2024

Run these debug and share result

Debug udp

MHM

dimitri.matata · ‎12-04-2024

This is the debug output:

R4#
*Mar 1 04:07:22.542: IP: s=0.0.0.0 (local), d=255.255.255.255 (FastEthernet0/1), len 319, sending broad/multicast
*Mar 1 04:07:22.546: UDP src=68, dst=67
R4#
*Mar 1 04:07:25.798: IP: s=0.0.0.0 (local), d=255.255.255.255 (FastEthernet0/1), len 319, sending broad/multicast
*Mar 1 04:07:25.798: UDP src=68, dst=67
R4#
*Mar 1 04:07:29.802: IP: s=0.0.0.0 (local), d=255.255.255.255 (FastEthernet0/1), len 319, sending broad/multicast
*Mar 1 04:07:29.806: UDP src=68, dst=67
R4#
R4#
R4#
R4#
*Mar 1 04:08:43.050: IP: s=0.0.0.0 (local), d=255.255.255.255 (FastEthernet0/1), len 319, sending broad/multicast
*Mar 1 04:08:43.054: UDP src=68, dst=67
R4#
*Mar 1 04:08:46.810: IP: s=0.0.0.0 (local), d=255.255.255.255 (FastEthernet0/1), len 319, sending broad/multicast
*Mar 1 04:08:46.814: UDP src=68, dst=67
R4#
*Mar 1 04:08:50.814: IP: s=0.0.0.0 (local), d=255.255.255.255 (FastEthernet0/1), len 319, sending broad/multicast
*Mar 1 04:08:50.818: UDP src=68, dst=67

MHM Cisco World · ‎12-04-2024

You see from debug

Scr is 0.0.0.0 and Dest is 255.255.255.255

That meaning router never use ip helper-address.

So sorry this not work.

It work if

1- dhcp client connect to f1/0

2- f1/0 have IP (manual not via dhcp)

In this case router will use f1/0 ip as src and ip helper as dest.

MHM

Flavio Miranda · ‎12-04-2024

@dimitri.matata

Did you try with the FastEthernet0/1 using static IP address instead? Just to make sure the fact that the interface is using DHCP is not interfering on the process?

dimitri.matata · ‎12-11-2024

@MHM Cisco World @Flavio Miranda

I set up another lab with the following configurations:

R1: DHCP server router
R2: Helper router
R5 & Linux OS: Clients

R1 and R2 are connected via the serial interface
[*********************   R2 Configuration ***************** ]

Serial0/0 192.168.1.1  up  
FastEthernet0/1 192.168.100.1  up  
Tunnel0 10.10.10.1 up up  

DHCP Configuration:
ip dhcp excluded-address 192.168.100.1  
!  
ip dhcp pool DHCP_TEST  
   network 192.168.100.0 255.255.255.0  
   dns-server 8.8.8.8  
   default-router 192.168.100.1  
   lease 7  

interface Tunnel0  
 ip address 10.10.10.1 255.255.255.252  
 tunnel source Serial0/0  
 tunnel destination 192.168.1.2  
 tunnel protection ipsec profile naranomenuovo  

ip route 192.168.1.0 255.255.255.0 10.10.10.2  
ip route 192.168.100.0 255.255.255.0 10.10.10.2  

access-list 101 permit ip any any  
access-list 101 permit icmp any any  
access-list 101 permit udp any any eq bootp  
access-list 101 permit udp any eq bootpc any  
access-list 101 permit udp any any  


[**************               R2 Configuration*******]

FastEthernet0/0 200.10.10.2  up  
Serial0/0 192.168.1.2  up  
FastEthernet0/1 192.168.100.11  up  
Tunnel0 10.10.10.2 up   up

interface FastEthernet0/1  
 ip address 192.168.100.11 255.255.255.0  
 helper-address 10.10.10.1 ### helper  

interface Tunnel0  
 ip address 10.10.10.2 255.255.255.252  
 tunnel source Serial0/0  
 tunnel destination 192.168.1.1  
 tunnel protection ipsec profile naranomenuovo  

ip route 192.168.1.0 255.255.255.0 10.10.10.1  
ip route 192.168.100.0 255.255.255.0 10.10.10.1  

access-list 101 permit ip any any  
access-list 101 permit icmp any any  
access-list 101 permit udp any eq bootpc any  
access-list 101 permit udp any any eq bootp  
access-list 101 permit udp any any

I tried to make some changes. Specifically, I assigned an IP address to the fa0/1 interface of R2 that belongs to the DHCP server’s subnet. Additionally, I configured the DHCP helper (10.10.10.1) only on the fa0/1 interface of R2. On the same interface (fa0/1 of R2), I connected another router or a Linux machine.

Here’s what happened:
The router, in this scenario, receives requests from R5 (the client), and after a few seconds, R1 assigns an IP to this machine. However, the client continues to send DHCP requests. Upon verification, I noticed that the client had not actually received any IP address, and as a result, the process enters a loop.

On router R1, I can see that the IP has been assigned to the client. The same thing happens with the Linux machine (another client). This is the result of the show ip dhcp binding command executed on R1:

Nevertheless, the requests keep arriving at the DHCP server even after the IP has been offered to the client.

[[Note: Before setting up the scenario explained here, the fa0/1 interface of R2 had an IP address different from the subnet of the DHCP server. This caused an error in the debug on R1, indicating that the fa0/1 interface of R2 needed to be in the same subnet as the DHCP server.]]

I’m showing you some images from R1, where it’s evident that the requests continue to arrive even though an IP has already been offered to the client.

R1 DHCP debug.
R2: Where I configured the helper, here is the output of the detailed DHCP debug.
Debug of R5 (the client).
Here is the Wireshark capture between R2 and R5.

here is the udp debug on R1 and R2

R1#
*Mar  1 01:48:15.743: UDP: rcvd src=192.168.100.11(67), dst=10.10.10.1(67), length=299
*Mar  1 01:48:15.747: UDP: sent src=192.168.100.1(67), dst=192.168.100.11(67), length=308
R1#
*Mar  1 01:48:18.863: UDP: rcvd src=192.168.100.11(67), dst=10.10.10.1(67), length=299
*Mar  1 01:48:18.867: UDP: sent src=192.168.100.1(67), dst=192.168.100.11(67), length=308
R1#
*Mar  1 01:48:22.307: UDP: rcvd src=192.168.100.11(67), dst=10.10.10.1(67), length=299
*Mar  1 01:48:22.311: UDP: sent src=192.168.100.1(67), dst=192.168.100.11(67), length=308


R2#
*Mar  1 01:50:45.735: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=299
*Mar  1 01:50:45.739: UDP: sent src=192.168.100.11(67), dst=10.10.10.1(67), length=299
R2(config)#
*Mar  1 01:51:58.167: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=299
*Mar  1 01:51:58.171: UDP: sent src=192.168.100.11(67), dst=10.10.10.1(67), length=299
R2(config)#
*Mar  1 01:52:01.191: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=299
*Mar  1 01:52:01.195: UDP: sent src=192.168.100.11(67), dst=10.10.10.1(67), length=299

MHM Cisco World · ‎12-11-2024

ip route 192.168.1.0 255.255.255.0 10.10.10.2

this first wrong in config, the underly of tunnel must not reachable via overlay.

second, in DHCP server the default router must be .11 not .1

third in DHCP server local Router config LO and in relay Router add static route for this LO via tunnel and use this LO as ip helper-address in relay Router

MHM

dimitri.matata · ‎12-11-2024

in R2 I don't have any dhcp configured, R2 acts as relay [helper]

dimitri.matata · ‎12-11-2024

maybe I understood now what you advised me:
I did this:
on R1:
I configured LO 192.168. 200.1
and I set default router to 192.168. 100.11
on R2:
I used on fa0/1 [this has the same default gateway ip 192.168. 100.11] ip helper 192.168. 200.1
and I configured static route on tunnel
the result as before: that is, the requests arrive at R1 dhcp server and it offers an ip for the R3 client, but R3 does nothing and continues to send the requests

MHM Cisco World · ‎12-11-2024

Share last code you use

MHM

dimitri.matata · ‎12-11-2024

R1####################

ip dhcp excluded-address 192.168.100.11

ip dhcp pool DHCP_TEST
   network 192.168.100.0 255.255.255.0
   dns-server 8.8.8.8
   default-router 192.168.100.11
   lease 7

interface Loopback0
 ip address 192.168.200.1 255.255.255.0

interface Tunnel0
 ip address 10.10.10.1 255.255.255.252
 ip access-group 101 in
 ip mtu 1400
 tunnel source Serial0/0
 tunnel destination 192.168.1.2
 tunnel protection ipsec profile naranomenuovo

interface Serial0/0
 ip address 192.168.1.1 255.255.255.0

interface FastEthernet0/1
 ip address 192.168.100.1 255.255.255.0


ip route 192.168.100.0 255.255.255.0 10.10.10.2



access-list 101 permit gre any any
access-list 101 permit icmp any any
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any
access-list 101 permit ip any any


#####################################################################################

R2############


interface Tunnel0
 ip address 10.10.10.2 255.255.255.252
 ip access-group 101 in
 ip mtu 1400
 tunnel source Serial0/0
 tunnel destination 192.168.1.1
 tunnel protection ipsec profile naranomenuovo

interface Serial0/0
 ip address 192.168.1.2 255.255.255.0
 clock rate 2000000


interface FastEthernet0/1
 ip address 192.168.100.11 255.255.255.0
 ip helper-address 192.168.200.1
 ip directed-broadcast


ip route 192.168.1.0 255.255.255.0 10.10.10.1
ip route 192.168.100.0 255.255.255.0 10.10.10.1
ip route 192.168.200.0 255.255.255.0 10.10.10.1

access-list 101 permit gre any any
access-list 101 permit icmp any any
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any
access-list 101 permit ip any any

MHM Cisco World · ‎12-11-2024

For R2
ip route 192.168.1.0 255.255.255.0 10.10.10.1 <<- this wrong 
ip route 192.168.100.0 255.255.255.0 10.10.10.1 <<- this not needed 
ip route 192.168.200.0 255.255.255.0 Tunnel0 <<- this OK for LO

For R1
ip route 192.168.100.0 255.255.255.0 Tunnel0

for ACL use below ACL for dhcp instead what you use

permit udp any eq bootpc any eq bootps

MHM