How to Setup DHCP Relay via VPN Tunnel

How to Setup DHCP Relay via VPN Tunnel Overview Some companies may use a central DHCP server for IP addresses allocation. The DHCP server is generally deployed in the Headquarter. The branch offices communicate with the HQ via VPN tunnels. For computers in branch offices to get IP addresses from the central DHCP server, the routers in branch offices must support DHCP relay via VPN tunnels. This topic takes an example to introduce this kind of application. Network Topology Suppose we have the following scenario. An IPSec LAN to LAN VPN is connected between Vigor 2820 and Vigor 2910. DHCP server on Vigor 2820 is disabled. DHCP Relay Agent on Vigor 2910 is enabled and towards the DHCP server at 192.168.3.23. The DHCP server(192.168.3.23) is connected behind Vigor 2820, providing two scopes in its DHCP pool. One is 192.168.3.50 ~ 192.168.3.100, which are for local network. The other is 192.168.1.50 ~ 192.168.1.100, which are for remote network via DHCP relay. DHCP Client is connected behind Vigor 2910. It will be assigned an IP address 192.168.1.x from the DHCP server. Configuring Vigor Router As we know that, “DHCP discover” sent from a DHCP Client are broadcast packets which cannot pass through VPN tunnels directly. So we need to configure the gateway Vigor 2910 as the DHCP relay agent. The DHCP relay receives the broadcast DHCP discover message and forward it directly to the DHCP server as unicast message. DHCP relay help transferring DHCP packets between the DHCP server and the DHCP client. Here’s the setup for DHCP relay on Vigor 2910: Here’s the setup for DHCP relay on Vigor 2820: Configuring the DHCP Server We use DHCP Turbo running on Windows XP as the DHCP server in our demo. 1. Start DHCP Turbo and make sure the DHCP service is started (check in ‘Computer Management >> Service Manager’). 2. In the window of DHCP Turbo, click the icon to create a new server. Enter the correct IP address of the DHCP server. 3. Login on the server to configure it’s properties. By default the password is empty. 4. Right‐click on ‘Scopes’ menu and select ‘New Scope’ to create the new one. 5. Setup the details for the new scope. In this area, you can define the DHCP pool (address range), and the lease time and other properties. We build the first new scope here for the local network (192.168.3.1/24), so the option ‘Local’ should be selected for ‘Segment’. The new scope for local network is saved: 6. Create the other scope for the branch office. Specify ‘Address Range’ as 192.168.1.50 ~ 192.168.1.100. ‘Relay agent’ must be specified as 192.168.1.1 which is the LAN IP address of Vigor 2910, so that the server will reply Vigor 2910 when it receives the relayed DHCP packets. After the router’s DHCP relay feature is properly configured, as well as that of the DHCP server, the client PC in branch office will be able to obtain an IP address from the DHCP server, through the VPN tunnel.