Hello,

       Here is my setup: I have a ASA5505 at a client's site with 2 vlans and a Fortigate 310B at the corporate office. I have created a Site to Site IPSec tunnel between both sites. I want the PC's in the VLAN 3 named villong to be able to use the DHCP server at the corporate office through the VPN tunnel. For some reason it is not working properly. When I do a debug dhcprelay I get the following:

DHCPRA: relay binding created for client 001c.238c.5712.

DHCPD: setting giaddr to 10.8.35.1.

dhcpd_forward_request: request from 001c.238c.5712 forwarded to 10.20.0.77.

DHCPRA: Received a BOOTREPLY from interface 2

DHCPRA: relay binding found for client 001c.238c.5712.

DHCPRA: Adding rule to allow client to respond using offered address 10.8.35.33

DHCPRA: forwarding reply to client 001c.238c.5712.

I can see that the DHCP server is offering 10.8.35.33, which is good, but the PC does not seem to be able to respond. Here is my ASA config at the client site:

ASA Version 8.2(2)
!
hostname ASAClient

domain-name default.domain.invalid
enable password XXXXX encrypted
passwd XXXXX encrypted
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.0.59 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.240
!
interface Vlan3
description Reseau villong
no forward interface Vlan1
nameif villong
security-level 100
ip address 10.8.35.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_access_in extended permit ip any any
access-list inside_1_cryptomap extended permit ip 172.20.0.0 255.255.255.0 any
access-list inside_1_cryptomap extended permit ip 10.8.35.0 255.255.255.0 any
access-list inside_1_cryptomap extended permit ip host 1.1.1.1 host 10.20.0.77
access-list inside_nat0_outbound extended permit ip 172.20.0.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 10.8.35.0 255.255.255.0 any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu villong 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any villong
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_access_in
nat (villong) 0 access-list inside_access_in
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group inside_access_in in interface villong
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 172.20.0.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 villong
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map inside_map 1 match address inside_1_cryptomap
crypto map inside_map 1 set pfs
crypto map inside_map 1 set peer 199.1.1.1
crypto map inside_map 1 set transform-set 3DES-SHA
crypto map inside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 172.20.0.0 255.255.255.0 inside
ssh 10.8.35.0 255.255.255.0 villong
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcprelay server 10.20.0.77 outside
dhcprelay enable villong
dhcprelay setroute villong
dhcprelay timeout 60

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password XXXXXXX encrypted privilege 15
tunnel-group 199.1.1.1 type ipsec-l2l
tunnel-group 199.1.1.1 ipsec-attributes
pre-shared-key

!

I have also put the Fortigate configuration if it can help but the problem seems to be on the ASA side.

Fortigate Configuration:

config vpn ipsec phase1
    edit "VPN_GLX_IPSEC"
       set interface "port8"
       set dhgrp 2
       set keylife 86400
       set proposal 3des-sha1
       set remote-gw 1.1.1.1
       set psksecret ENC XXXXXXX
    next

config vpn ipsec phase2
    edit "VPN_GLX_P2"
        set keepalive enable
        set phase1name "VPN_GLX_IPSEC"
        set proposal 3des-sha1
        set dhgrp 2
        set dst-subnet 172.20.0.0 255.255.255.0
        set keylifeseconds 86400
    next
    edit "VPN_GLX_P22"
        set keepalive enable
        set phase1name "VPN_GLX_IPSEC"
        set proposal 3des-sha1
        set dhgrp 2
        set dst-subnet 10.8.35.0 255.255.255.0
        set keylifeseconds 86400
    next
    edit "VPN_GLX_P23"
        set dst-addr-type ip
        set keepalive enable
        set phase1name "VPN_GLX_IPSEC"
        set proposal 3des-sha1
        set src-addr-type ip
        set dhgrp 2
        set dst-start-ip 1.1.1.1
        set keylifeseconds 86400
        set src-start-ip 10.20.0.77
    next

config firewall policy
    edit 427
        set srcintf "port1"
        set dstintf "port8"
            set srcaddr "10.20.0.77/32"            
            set dstaddr "NAT_VPN_Groupe_Leroux"            
        set action ipsec
        set schedule "always"
            set service "ANY"            
        set logtraffic enable
        set label "Clients"
        set inbound enable
        set outbound enable
        set natinbound enable
        set vpntunnel "VPN_GLX_IPSEC"
    next
    edit 428
        set srcintf "port1"
        set dstintf "port8"
            set srcaddr "10.0.0.0/8"            
            set dstaddr "VPN_Leroux_Ville_IPSec"            
        set action ipsec
        set schedule "always"
            set service "ANY"            
        set logtraffic enable
        set label "Clients"
        set inbound enable
        set outbound enable
        set vpntunnel "VPN_GLX_IPSEC"
    next
    edit 429
        set srcintf "port1"
        set dstintf "port8"
            set srcaddr "SecureGateway"            
            set dstaddr "VPN_VIP_Leroux"            
        set action ipsec
        set schedule "always"
            set service "Citrix_ICA" "PING" "HTTP_HTTPS"            
        set logtraffic enable
        set label "Clients"
        set inbound enable
        set outbound enable
        set natinbound enable
        set vpntunnel "VPN_GLX_IPSEC"
    next
    edit 436
        set srcintf "port1"
        set dstintf "port8"
            set srcaddr "SVMGOWEBP"            
            set dstaddr "VPN_VIP_Leroux"            
        set action ipsec
        set schedule "always"
            set service "PING" "HTTP"            
        set logtraffic enable
        set label "Clients"
        set inbound enable
        set outbound enable
        set natinbound enable
        set vpntunnel "VPN_GLX_IPSEC"
    next

config firewall vip
    edit "VPN_VIP_Leroux"
        set extip 10.8.18.1-10.8.18.254
        set extintf "port1"
        set mappedip 172.20.0.1-172.20.0.254
    next

config firewall address
    edit "VPN_Leroux_Ville_IPSec"
        set subnet 10.8.35.0 255.255.255.0
    next

Any ideas ?

Daniel