HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents
DrillDown Icon Knowledge Base Information
DrillDown Icon Cyberoam Security Appliances (UTM and NGFW)
DrillDown Icon FAQs on Cyberoam and Sophos Firewall
DrillDown Icon Vulnerability Security Advisories
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Deployment
DrillDown Icon Registration & Licensing
DrillDown Icon System
DrillDown Icon Objects
DrillDown Icon Network
DrillDown Icon Add Static DNS Host Entry in Cyberoam
DrillDown Icon Establish a 6in4 IP tunnel using a Tunnel Broker Service
DrillDown Icon From where do I change the Maximum Transmission Unit (MTU) or Maximum Segment Size (MSS) values of any Cyberoam Interface?
DrillDown Icon Configure Multi-Port Bridge in Cyberoam
DrillDown Icon Configure DNS Inbound Load Balancing and Failover
DrillDown Icon Configure Link Aggregation (LAG) in Cyberoam
DrillDown Icon Configure Zone settings in Cyberoam
DrillDown Icon Routing
DrillDown Icon Wireless LAN (WLAN)
DrillDown Icon Wireless WAN
DrillDown Icon Configure Cyberoam as a DDNS Server
DrillDown Icon Create an IP Tunnel
DrillDown Icon Implement Transparent Subnet Gateway using Bridge Pair
DrillDown Icon Implement Transparent Subnet Gateways using Proxy ARP
DrillDown Icon Configure Cyberoam as HTTP Proxy Server Using Single Port
DrillDown Icon Configure DHCP Option Objects in Cyberoam
DrillDown Icon How do I configure DHCP Option Object 150 in VoIP Configuration?
DrillDown Icon Implement IPv6 using Cyberoam CLI Console
DrillDown Icon Configure Cyberoam as DHCP Relay
DrillDown Icon Tunnel IPv6 Traffic over IPv4 Network
DrillDown Icon Integrate Cyberoam with third-party Dynamic DNS Service Provider
DrillDown Icon Configure PPPoE on Cyberoam
DrillDown Icon Configure Cyberoam as DHCP Server
DrillDown Icon What is the meaning of AND & OR in Gateway Failover condition?
DrillDown Icon Does Cyberoam support Fiber Optical networks?
DrillDown Icon How to take a tcpdump on Cyberoam for IPv6 traffic?
DrillDown Icon Why are users not being able to access a website hosted on an internal web server when their browsers have Cyberoam configured?
DrillDown Icon How to prevent MAC Spoofing in Cyberoam?
DrillDown Icon Does Cyberoam Support H.323 Standard?
DrillDown Icon How can I clone the MAC address of an interface (Port) of Cyberoam?
DrillDown Icon Does Cyberoam support VLAN over WAN interface?
DrillDown Icon My 3G is not getting connected automatically after reboot. What can be the reason for the same?
DrillDown Icon How to change the Interface/Port Speed?
DrillDown Icon Does Cyberoam support RTP (Real-time Transport protocols)?
DrillDown Icon SIP support in Cyberoam
DrillDown Icon Which are the voice protocols supported by Cyberoam?
DrillDown Icon How do I tag Cyberoam's Bridge Interface initiated traffic with VLAN IDs?
DrillDown Icon How can I bring my LAN and WLAN that terminate on Cyberoam under a single subnet?
DrillDown Icon Configure Virtual LAN in Cyberoam
DrillDown Icon Configure Gateway Load Balancing and Failover
DrillDown Icon How to assign multiple IP addresses on WAN Interface?
DrillDown Icon How to check Gateway wise Data transfer?
DrillDown Icon Configure DHCP over VPN in Cyberoam
DrillDown Icon Identity
DrillDown Icon Firewall
DrillDown Icon VPN
DrillDown Icon IPS
DrillDown Icon Web Filter
DrillDown Icon Application Filter
DrillDown Icon Web Application Firewall (WAF)
DrillDown Icon IM
DrillDown Icon Quality of Service (QoS)
DrillDown Icon Anti Virus
DrillDown Icon Anti Spam
DrillDown Icon Logs & Reports
DrillDown Icon Clients
DrillDown Icon Cyberoam Maintenance
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Cyberoam Virtual Security
DrillDown Icon Cyberoam iView
DrillDown Icon Cyberoam Central Console
DrillDown Icon Cyberoam's On-Cloud Management Service
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
Rate Icon Rate Icon Rate Icon Rate Icon Rate Icon
Configure DHCP over VPN in Cyberoam

Applicable Version: 10.00 onwards


Allocation of address space is one of the major challenges when planning and deploying a VPN network. With the ability to tunnel DHCP over VPNs, it allows network administrators to manage their entire IP address space from a central DHCP server. In addition, by enabling this feature, it will allow roaming users to travel across multiple branches and administrators can have control over the network. 

This article describes a detailed configuration example that demonstrates how to configure DHCP over Site-to-Site IPSec VPN tunnel between two Cyberoam.


A hypothetical example has been shown where Head Office has a DHCP Server and IP addresses needs to be leased to Branch Office users connected over Site-to-Site VPN Tunnel.




A Site-to-Site VPN Tunnel should be configured between Head office and Branch office. For details on how to configure an IPSec tunnel, refer to the following articles: 

Branch Office Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Configure Branch Office Cyberoam as DHCP Relay Agent

Go to Network > DHCP > Relay and click Add to create a relay agent as per parameters below. 







Provide a name to identify DHCP Relay Agent.

IP Family


Select the IP Family for DHCP Relay Agent.


PortA -

Select internal interface.


DHCP Relay agent can be configured on virtual sub-interface but cannot be configured on Interface alias.

DHCP Server IP

Specify DHCP Server IP Address. You can also configure multiple DHCP servers. This support deployment where DHCP server running in high availability environment. DHCP Relay will forward packets to all the configured DHCP Servers and active server will serve the request. In case active server goes down, backup server serves the request. DHCP server takes care of leasing the IP Address to a client.


Maximum DHCP servers configures per DHCP Relay - 8

Relay through IPSec

(Only if IP Family is IPv4)


Click to enable Relay through IPSec VPN.


After DHCP Relay configuration, on IP address renewal, Branch Office users would get IP Addresses from Head Office DHCP Server

Step 2: Forward DHCP Traffic to Head Office

You need to forward the DHCP traffic of the Head Office Cyberoam over the IPSec VPN Tunnel. You can forward the traffic by following the steps given below. 

1.  Logon to CLI Console via Telnet or SSH. You can also access the CLI Console by clicking  on the upper right corner of the Web Admin Console screen. 


    From firmware version 10.6.1 onwards, the Console button is visible to the Super Administrator ONLY

2.    Choose option 4. Cyberoam Console.

3.    Execute the following commands to route traffic over IPSec tunnel:

      console> cyberoam ipsec_route add host tunnelname DHCPoverVPN


      DHCP Server IP –
      VPN Tunnel name – DHCPoverVPN

4.    Execute the following command to NAT Cyberoam generated traffic: 


      console> set advanced-firewall cr-traffic-nat add destination snatip

     DHCP Server IP –
     Interface (LAN Interface of Branch Office) – 


The configuration above sends DHCP traffic from the Branch Office to Head Office.






                                                                                                                        Document Version: 2.1 – 8 September, 2015 

Related Articles

Article ID: 2077