[vpn-help] Again: no response vom DHCP server (Fortigate 80C 4.0 MR1)
Matthew Grooms
mgrooms at shrew.net
Tue Aug 10 00:13:10 CDT 2010
On 8/5/2010 4:32 AM, Weber, Uwe wrote:
> Hi Uwe,
>
> This sounds like a different problem from the DHCP over IPsec related
> issue that was reported previously. It pertains to the client not using
> a consistent MAC address for the DHCP discover. Since each connection is
> processed as a different machine, the gateway hands out a new DHCP
> address for each Shrew connection attempt which eventually exhausts the
> DHCP pool. My guess is that the Fortigate client wasn't effected by this
> because it retained the MAC value previously sent and gets handed an
> address which is still reserved. The easiest solution will be for the
> client to offer the same MAC address each time so it doesn't cause this
> problem. I haven't gotten around to this yet, but it shouldn't be too
> difficult to add. I'll keep you posted.
>
> -Matthew
>
> -- Matthew, you exactly hit the nail: In the meantime, I found out, that
> really the FGT went out of DHCP-Leases and wasn't able to had out more
> leases to the Shrew-Clients (which are always the same) but seem to come
> with a different MAC and so requesting a new IP from IPSEC-DHCP instead
> of reclaiming the previous lease. Forticlient alwys comes with the same
> MAC as you said, and subsequently gets the old lease. My workaround so
> far is, that I have set the lease time to one hour, which prevents the
> DHCP pool from getting exhausted. So far this worked for me :) But if
> there is not a specific reason for the Shrew client software to use a
> different MAC for each connection attempt, and if you can change this
> behavior, you should do it, because logically seen it would be clear to
> me, that a connection (or a virtual IPSEC interface) always uses the
> same MAC. As far as I have seen it, every IPSEC client does use one and
> the same MAC address (which is even configurable in some cases iirc) for
> every connection butcause the MAC logically belongs to the interface and
> not to the connection imho. Regards Uwe
Hi Uwe,
Please test this build. It should hand out the same IP address to the
client each time ...
http://www.shrew.net/download/vpn/vpn-client-2.1.6-dhcpfix-1.exe
... if you can provide feedback quickly enough, I will roll the change
into 2.1.6 for the release.
-Matthew
More information about the vpn-help
mailing list