[vpn-help] Again: no response vom DHCP server (Fortigate 80C 4.0 MR1)

[Weber, Uwe]

.
.
.

Hi Uwe,

This sounds like a different problem from the DHCP over IPsec related 
issue that was reported previously. It pertains to the client not using 
a consistent MAC address for the DHCP discover. Since each connection is 
processed as a different machine, the gateway hands out a new DHCP 
address for each Shrew connection attempt which eventually exhausts the 
DHCP pool. My guess is that the Fortigate client wasn't effected by this 
because it retained the MAC value previously sent and gets handed an 
address which is still reserved. The easiest solution will be for the 
client to offer the same MAC address each time so it doesn't cause this 
problem. I haven't gotten around to this yet, but it shouldn't be too 
difficult to add. I'll keep you posted.

-Matthew

-- 

Matthew, you exactly hit the nail: 

In the meantime, I found out, that really the FGT went out of DHCP-Leases and wasn't able to had out more leases to the Shrew-Clients (which are always the same) but seem to come with a different MAC and so requesting a new IP from IPSEC-DHCP instead of reclaiming the previous lease. Forticlient alwys comes with the same MAC as you said, and subsequently gets the old lease.

My workaround so far is, that I have set the lease time to one hour, which prevents the DHCP pool from getting exhausted. So far this worked for me :)
But if there is not a specific reason for the Shrew client software to use a different MAC for each connection attempt, and if you can change this behavior, you should do it, because logically seen it would be clear to me, that a connection (or a virtual IPSEC interface) always uses the same MAC. As far as I have seen it, every IPSEC client does use one and the same MAC address (which is even configurable in some cases iirc) for every connection butcause the MAC logically belongs to the interface and not to the connection imho.

Regards

Uwe