Use case
This article will guide you through enabling DHCP relay over IPsec using CloudGenix Palo Alto Networks with an SD-WAN solution.
Prerequisites
Before you begin, ensure you have the following prerequisites in place:
- Access to Cloudi-Fi Admin Console: You must have access to the Cloudi-Fi admin console to obtain DHCP and IPsec-related information.
- Create Cloudi-Fi Locations and Subnets: Within the Cloudi-Fi admin console, create the necessary locations and subnets corresponding to your network setup.
- Understanding of Your Network, Subnets, and Firewall Configuration: Clearly understand your network topology, subnets, and CloudGenix configuration.
- CloudGenix Palo Alto Networks: Access to your CloudGenix dashboard.
1. Get DHCP and IPsec info from Cloudi-DHCP admin console
- Log in to your Cloudi-Fi dashboard
- Navigate to Networks > DHCP
- Select your desired location, which should correspond to the network you want to enable DHCP relay over IPsec.
- IPsec tunnel information
- FQDN, IPv4 or user FQDN
- Pre-shared key
- Under Cloudi-Fi, find and note down the following information:
- Service Subnet
- Service Address
- Additionally, locate the IPsec endpoint within Cloudi-Fi
2. VPN IPSec profile configuration
Add a new VPN Profile named Cloudi-Fi with the following criteria
- see DHCP - recommended settings for IPSec tunnel (IKEv2)
- For the Remote_ID, please use the previously identified IPsec endpoints (see 1. Get DHCP and IPsec Info from Cloudi-DHCP Admin Console)
3. Interface configuration
Create a new IPsec network interface to route the DHCP traffic to Cloudi-Fi Cloud Solution.
-
Interface type: Standard
-
Scope: Local
-
Inner Tunnel IP Address: Service Address (see 1. Get DHCP and IPsec Info from Cloudi-DHCP Admin Console)
-
Peer IP: please use the previously identified IPsec endpoints.
-
IPsec profile: Cloudi-Fi
-
Parent Interface: Outbound Internet Interface
4. DHCP Service Configuration
Configure your local network interface
Go to Interfaces
Select your internal Port and set your IP Address which will be the default gateway for your Guest users.
Enable your DHCP Relay and set Cloudi-FI DHCP server IP address.
Set the source interface to match your Guest interface IP address.
5. Cloudi-Fi Service Endpoint creation
Create a Cloudi-Fi service endpoint under stacked Policies/service and DC groups/endpoint (top right)
Create a new endpoint Cloudi-Fi of type standard vpn
Add a new group named Cloudi-fi for example, and select the Cloudi-fi endpoint you just created
6. Create a path policy
Add a new path policy using the following criteria
-
Classification: App DHCP
-
Action
-
Active path: Standard VPN on Any public
-
Assign Service & DC Group: Cloudi-Fi
-
-
All other parameters can be set to default
All DHCP traffic will be forwarded over the Cloudi-Fi IPSec tunnel.
Summary
By following the steps outlined in this guide and using the information obtained from the Cloudi-Fi admin console, you can make sure that DHCP requests from remote networks are correctly relayed to the DHCP server, allowing clients to receive IP addresses and network configurations seamlessly.