Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, August 20, 2019 6:44 PM
Hello!
I am trying to implement Always ON VPN solution in the lab environment and I am trying to understand on how DHCP IP assignment works for VPN clients. I have two NIC's on VPN server one Internal- 10.33.10.107 and external public facing one- 10.33.11.166. My DHCP server sits on same subnet as internal NIC 10.33.10.26 (DHCP server IP).
Do I need to create a DHCP relay agent for this work? Can anyone explain how DHCP IP assignment will work on this scenario?
How VPN server will understand the DHCP scopes on DHCP server which may have different subnet scopes?
I have tried static IP pool which seems to working fine but DHCP I am trying to see how this work before implement.
Thanks in advance!
All replies (7)
Tuesday, August 20, 2019 10:41 PM ✅Answered
If there's a DHCP server on the same subnet as the VPN server's internal network interface, the RemoteAccess service will automatically lease a block of IP addresses from it when the service starts. It will then manage these on behalf of VPN clients. VPN clients don't directly lease addresses from your DHCP server.
It's important to know that the VPN server only uses the IP address and the subnet mask of the DHCP lease for VPN clients. All other DHCP options are ignored. That's what really limits the usefulness of using DHCP for VPN client IP address assignment. It is generally recommended that you use static IP address pools instead.
If you still plan to use DHCP for VPN client IP address assignment, and you have more than one network interface, make sure you set the preferred network adapter on the IPv4 and IPv6 properties pages in the RRAS management console.
Richard M. Hicks
Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
directaccess.richardicks.com
Wednesday, August 21, 2019 2:34 AM
Hi,
Thanks for posting in the forum.
I agree with Richard, your VPN server's internal network interface and DHCP server are on the same subnet. So you don't need to configure a DHCP relay agent.
Best regards,
Hollis
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, August 21, 2019 11:02 AM
Hello Richard,
Thanks for the reply. I do need to understand on how IP range will be allotted to VPN client using DHCP server.
Let's say if i say 10 scopes on DHCP server, which scope the VPN server will choose and allocate IP to VPN clients. Please bear my dumbness since I may miss some logic here.
Thanks
Wednesday, August 21, 2019 7:54 PM
The VPN server will use the scope for the subnet where the internal network interface resides (or whichever interface is defined as the 'preferred' interface).
Richard M. Hicks
Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
directaccess.richardicks.com
Friday, August 23, 2019 7:32 AM
Hi,
Was your question resolved? Just want to confirm the current situations.
Best regards,
Hollis
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, August 23, 2019 10:48 AM
From my experiennce DHCP Relay agent is needed. Also, when the RRAS Service is activated and RRAS is set to use DHCP instead of static pool, the RRAS will reserve IP-pool from DHCP scope right away, so you don't need to wait the client to connect via VPN.
MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.
Tuesday, September 3, 2019 6:05 AM
Hi,
As this thread has been quiet for a while, we will propose it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Best regards,
Hollis
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].