DHCP packets dropped after VPN established

[nejko]

Dear CP users,

we have a problem using DHCP over DHCP relay while IPSec VPN between the gateways is established.

Topology:

User LAN ---- [FW] ==<vpn>== [Core FW] ---- Server LAN

FW is DHCP-relay for User LAN and there is a DHCP server in Server LAN.

If there is no VPN, everything works ok. If I put the FW into the encryption domain, everything works except the dhcp-req-localmodule packets are dropped with error encryption failure: Clear text packet should be encrypted.

Information about the packet:

Src: none (L2 packet)
Dst: 255.255.255.255
Service: dhcp-req-localmodule (67)
Protocol: UDP
Interface: Internal.701 (vlan interface)
Source port: dhcp-rep-localmodule (68)

What should I do so that FW will allow this packet?

The funny thing is, that bootp packets are accepted and encrypted, example of one such packet:

Src: 10.x.x.51
Dst: 255.255.255.255
Service: bootp (67)
Protocol: UDP
Interface: Internal.701
Source port: dhcp-rep-localmodule (68)

So the only difference here is the source IP address and service bootp instead of dhcp-req-localmodule. However, I don't understand why bootp is chosen in this case as the source and destination port numbers are the same in both cases.

Any ideas?

Thanks,
Nejc

[nejko]

Dear forum users,

I have discovered what causes my problem. It is the "VPN routing" setting in the VPN community properties. If I configure the routing "To center, or through the center to other satellites, to internet and other VPN targets", I can reproduce the problem in my test environment. Looks like that if this option is set, Check Point expects already encrypted DHCP discover packet coming to its internal interface. Which doesn't make sense I guess.

If I configure the VPN routing "To center and to other satellites through center", then DHCP works beautifully. But then not all traffic between the gateways is encrypted, which is not what I want.

So still, does anybody know how to solve this issue?

Thanks,
Nejc

[serlud]

Quote:

Originally Posted by nejko

Dear forum users,

I have discovered what causes my problem. It is the "VPN routing" setting in the VPN community properties. If I configure the routing "To center, or through the center to other satellites, to internet and other VPN targets", I can reproduce the problem in my test environment. Looks like that if this option is set, Check Point expects already encrypted DHCP discover packet coming to its internal interface. Which doesn't make sense I guess.

If I configure the VPN routing "To center and to other satellites through center", then DHCP works beautifully. But then not all traffic between the gateways is encrypted, which is not what I want.

So still, does anybody know how to solve this issue?

Thanks,
Nejc

Thanks.

we have the same issue after replacing VPN-1 Edge (due to performance problem 0,5 Mb/s max with VPN) with UTM-1 132. DHCP do not work any more.

CP do not known about this issues for R65 , R70, R70.1, R70.2 (probably every one already used an Cisco ASA 55xx for all remote offices, we are goint to replace all our VPN-1 Edges within next 2 years with ASA 5505 Clusters, or ASA 5510 Clusters just due to a very high price per Mb/s VPN-1 Edge Unlimited $2000 for 0.5 Mb/s VPN, not nat, simple FW rules -compare with ASA 5505 about $1000 for REAL 80 Mb/s VPN

we have open an Critical SR to be sure this issue will be resolved in short time.
12-Mrz-2010 10:10 open SR
12-Mrz-2010 13:52 After 3.5 hours talking with CP , CP will try to replicate this issue with international TAC. it will take about 1 day (we will see).
15-Mrz-2010 Escalate throu CP Rep.
15-Mrz-2010 11:11 All debugs for replicatable issue has been uploaded to CP.