How to enable the DHCP service from a CloudGenix Palo Alto Networks with an SD-WAN solution
To enable DHCP Service on CloudGenix, you will need to follow these steps:
-
Setting the IPSec Tunnel Interface
-
Configure a DHCP Relay and disable DHCP Server
-
Add a Cloudi-Fi Service Group
-
Create a path policy to route DHCP traffic through the Tunnel
VPN IPSec profile configuration
Add a new VPN Profile named Cloudi-Fi with the following criteria
IKE Group
-
Version: IKEv2
-
Lifetime: 24h
-
Mode: Main
-
Proposals
-
DH Groups: modp-2048
-
Encryption: AES-256-CBC
-
Hash: SHA-512
-
-
Dead Peer Detection: Yes
ESP Group
-
Lifetime: 8
-
Proposals:
-
DH Groups: modp-2048
-
Encryption: AES-256-CBC
-
Hash: SHA-512
-
Authentication
-
Type: PSK
-
Secret:
-
Local ID: Interface IP Address
-
Remote ID: 51.91.106.238

Interface configuration
Create a new IPsec network interface to route the DHCP traffic to Cloudi-Fi Cloud Solution.
-
Interface type: Standard
-
Scope: Local
-
Inner Tunnel IP Address:
-
Peer IP: 51.91.106.238
-
IPsec profile: Cloudi-Fi
-
Parent Interface: Outbound Internet Interface

DHCP Service Configuration
Configure your local network interface
Go to Interfaces

Select your internal Port and set your IP Address which will be the default gateway for your Guest users.

Enable your DHCP Relay and set Cloudi-FI DHCP server IP address.
Set the source interface to match your Guest interface IP address.

Cloudi-Fi Service Endpoint creation
Create a Cloudi-Fi service endpoint under stacked Policies/service and DC groups/endpoint (top right)

Create a new endpoint Cloudi-Fi of type standard vpn

Add a new group named Cloudi-fi for example, and select the Cloudi-fi endpoint you just created

Create a path policy
Add a new path policy using the following criteria
-
Classification: App DHCP
-
Action
-
Active path: Standard VPN on Any public
-
Assign Service & DC Group: Cloudi-Fi
-
-
All other parameters can be set to default

All DHCP traffic will be forwarded over the Cloudi-Fi IPSec tunnel.