DHCP over VPN allows a host (DHCP Client) behind a SonicWALL obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space. This facilitates IP address administration for the networks using VPN tunnels.

DHCP Relay Mode

The SonicWALL appliance at the remote and central site are configured for VPN tunnels for initial DHCP traffic as well as subsequent IP traffic between the sites. The SonicWALL at the remote site (Remote Gateway) passes DHCP broadcast packets through its VPN tunnel. The SonicWALL at the central site (Central Gateway) relays DHCP packets from the client on the remote network to the DHCP server on the central site.

Configuring the Central Gateway for VPN over DHCP

To configure DHCP over VPN for the Central Gateway, use the following steps:

  1. Select Central Gateway from the DHCP Relay Mode menu.

  2. To use the SonicWALL internal DHCP server for assigning IP addresses, select Use Internal DHCP Server. Select For Global VPN Client if remote users are obtaining IP addresses from the SonicWALL. Select For Remote Firewall if a remote firewall is obtaining its IP address from the SonicWALL.

  3. If you want to send DHCP requests to specific servers, enable the Send DHCP requests to the server addresses listed below check box. Enter the IP addresses of DHCP servers in the Add DHCP Server field, and click Update. The SonicWALL now directs DHCP requests to the specified servers.

  4. To delete DHCP servers, click on the IP address of the DHCP server, and click Delete DHCP Server. The server is removed from the list of DHCP servers.

  5. To complete the configuration, go to VPN and click Configure.

  6. Select Destination network obtains IP addresses using DHCP through this SA in the Destination Networks section. Click Update.

Configuring the Remote Gateway for VPN over DHCP

To configure the SonicWALL as a Remote Gateway, use the following steps:

  1. Select Remote Gateway from the DHCP Relay Mode menu.

LAN IP Addresses

  1. Select the VPN Security Association to be used for the VPN tunnel from the Obtain using DHCP through this SA menu.

Alert! Only VPN SAs using IKE can be used as VPN tunnels for DHCP and the SAs must be enabled and terminated at the LAN.

  1. The Relay IP address is a static IP address from the pool of specific IP addresses on the Central Gateway. It should not be available in the scope of DHCP addresses. The SonicWALL can also be managed through the Relay IP address.

  2. Type the IP address used to remotely manage the SonicWALL in the Remote Management IP Address field. The SonicWALL can aslo be managed through the Relay IP address.

  3. If you enable Block traffic through tunnel when IP spoof detected, the SonicWALL blocks any traffic across the VPN tunnel that is spoofing an authenticated userís IP address. If you have any static devices, however, you must ensure that the correct Ethernet address is entered for the device. The Ethernet address is used as part of the identification process, and an incorrect Ethernet address can cause the SonicWALL to respond to IP spoofs.

  4. If the VPN tunnel is disrupted, temporary DHCP leases can be obtained from the local DHCP server. Once the tunnel is again active, the local DHCP server stops issuing leases. Enable the Obtain temporary lease from local DHCP server if tunnel is down check box. By enabling this check box, you have a failover option in case the tunnel ceases to function. If you want to allow temporary leases for a certain time period, enter the number of minutes for the temporary lease in the Temporary Lease Time box. The default value is two (2) minutes.

LAN Device Configuration

  1. To configure Static Devices on the LAN, enter the IP address of the device in the IP Address field and then enter the Ethernet Address of the device in the Ethernet Address field. An example of a static device is a printer as it cannot obtain an IP lease dynamically. If you do not have Block traffic through tunnel when IP spoof detected enabled, it is not necessary to enter the Ethernet address of a device.

  2. You must exclude the Static IP addresses from the pool of available IP addresses on the DHCP server so that the DHCP server does not assign these addresses to DHCP clients. You should also exclude the IP address used as the Relay IP Address. It is recommended to reserve a block of IP address to use as Relay IP addresses.

  3. Select LAN Devices not allowed to obtain IP through SA if there are devices on the LAN that you do not want to obtain IP addresses through the VPN tunnel, such as childrenís computers. You must know the Ethernet address of the device to configure this setting. The Ethernet address of a device can be determined by typing ipconfig/all into a Command Prompt window.

Alert! You must configure the local DHCP server on the remote SonicWALL to assign IP leases to these computers.

Alert! If a remote site has trouble connecting to a central gateway and obtaining a lease, verify that Deterministic Network Enhancer (DNE) is not enabled on the remote computer.

Tip! If a static LAN IP address is outside of the DHCP scope, routing is possible to this IP, i.e. two LANs.

DHCP Relay Agent

Relay IP Address (Optional) - Type the IP address of your relay server.

Help Table of Contents