[vpn-help] Again: no response vom DHCP server (Fortigate 80C 4.0 MR1)

Weber, Uwe uw at rnt.de
Wed Aug 11 00:38:48 CDT 2010


HI Matthew,

I had a roadwarrior test with the fixed version and we were able to see, that really the original build of the client gets a new lease for evrey conncetion attempt, whereas the fixed version get its previous lease as registered with the DHCP server.
100% success! Thanks a lot for the quick resolution.

Uwe
________________________________________
Von: Matthew Grooms [mgrooms at shrew.net]
Gesendet: Dienstag, 10. August 2010 07:13
An: Weber, Uwe
Cc: vpn-help at lists.shrew.net
Betreff: Re: AW: [vpn-help] Again: no response vom DHCP server (Fortigate 80C 4.0       MR1)

On 8/5/2010 4:32 AM, Weber, Uwe wrote:
> Hi Uwe,
>
> This sounds like a different problem from the DHCP over IPsec related
> issue that was reported previously. It pertains to the client not using
> a consistent MAC address for the DHCP discover. Since each connection is
> processed as a different machine, the gateway hands out a new DHCP
> address for each Shrew connection attempt which eventually exhausts the
> DHCP pool. My guess is that the Fortigate client wasn't effected by this
> because it retained the MAC value previously sent and gets handed an
> address which is still reserved. The easiest solution will be for the
> client to offer the same MAC address each time so it doesn't cause this
> problem. I haven't gotten around to this yet, but it shouldn't be too
> difficult to add. I'll keep you posted.
>
> -Matthew
>
> -- Matthew, you exactly hit the nail: In the meantime, I found out, that
> really the FGT went out of DHCP-Leases and wasn't able to had out more
> leases to the Shrew-Clients (which are always the same) but seem to come
> with a different MAC and so requesting a new IP from IPSEC-DHCP instead
> of reclaiming the previous lease. Forticlient alwys comes with the same
> MAC as you said, and subsequently gets the old lease. My workaround so
> far is, that I have set the lease time to one hour, which prevents the
> DHCP pool from getting exhausted. So far this worked for me :) But if
> there is not a specific reason for the Shrew client software to use a
> different MAC for each connection attempt, and if you can change this
> behavior, you should do it, because logically seen it would be clear to
> me, that a connection (or a virtual IPSEC interface) always uses the
> same MAC. As far as I have seen it, every IPSEC client does use one and
> the same MAC address (which is even configurable in some cases iirc) for
> every connection butcause the MAC logically belongs to the interface and
> not to the connection imho. Regards Uwe

Hi Uwe,

Please test this build. It should hand out the same IP address to the
client each time ...

http://www.shrew.net/download/vpn/vpn-client-2.1.6-dhcpfix-1.exe

... if you can provide feedback quickly enough, I will roll the change
into 2.1.6 for the release.

-Matthew

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the vpn-help mailing list