[vpn-help] Again: no response vom DHCP server (Fortigate 80C 4.0 MR1)
Weber, Uwe
uw at rnt.de
Thu Aug 5 04:32:09 CDT 2010
.
.
.
Hi Uwe,
This sounds like a different problem from the DHCP over IPsec related
issue that was reported previously. It pertains to the client not using
a consistent MAC address for the DHCP discover. Since each connection is
processed as a different machine, the gateway hands out a new DHCP
address for each Shrew connection attempt which eventually exhausts the
DHCP pool. My guess is that the Fortigate client wasn't effected by this
because it retained the MAC value previously sent and gets handed an
address which is still reserved. The easiest solution will be for the
client to offer the same MAC address each time so it doesn't cause this
problem. I haven't gotten around to this yet, but it shouldn't be too
difficult to add. I'll keep you posted.
-Matthew
--
Matthew, you exactly hit the nail:
In the meantime, I found out, that really the FGT went out of DHCP-Leases and wasn't able to had out more leases to the Shrew-Clients (which are always the same) but seem to come with a different MAC and so requesting a new IP from IPSEC-DHCP instead of reclaiming the previous lease. Forticlient alwys comes with the same MAC as you said, and subsequently gets the old lease.
My workaround so far is, that I have set the lease time to one hour, which prevents the DHCP pool from getting exhausted. So far this worked for me :)
But if there is not a specific reason for the Shrew client software to use a different MAC for each connection attempt, and if you can change this behavior, you should do it, because logically seen it would be clear to me, that a connection (or a virtual IPSEC interface) always uses the same MAC. As far as I have seen it, every IPSEC client does use one and the same MAC address (which is even configurable in some cases iirc) for every connection butcause the MAC logically belongs to the interface and not to the connection imho.
Regards
Uwe
More information about the vpn-help
mailing list