IPsec VPN with external DHCP service
You can use an external DHCP server to assign IP addresses to your IPsec VPN clients. This is a common scenario found in enterprises where all DHCP leases need to be managed centrally.
In this example, the DHCP server assigns IP addresses in the range of 172.16.6.100 to 172.16.6.120. The server is attached to internal2 on the FortiGate and has an IP address of 192.168.3.70.
To configure a DHCP server to assign IP addresses to IPsec VPN clients:
- Create a user group for remote users:
- Go to User & Device > User Definition > Create New.
- For User Type, select Local User.
- Complete the wizard, and click Submit.
- Go to User & Device > User Groups > Create New.
- Create a Firewall user group for your remote users.
- For Members, add the user you just created.
- Click OK.
- Add a firewall address for the local network and IPsec VPN client range:
- Go to Policy & Objects > Addresses.
- Create a new Subnet address for the LAN, including the IP mask and local interface (internal2).
- Click OK.
- Create a new IP Range address for the IPsec VPN client range (
172.16.6.100–172.16.6.120
). - Click OK.
- Configure the IPsec VPN using a VPN tunnel in the CLI:
config vpn ipsec phase1-interface edit "dhcp_vpn" set type dynamic set interface "wan1" set mode aggressive set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set dhgrp 5 set xauthtype auto set authusrgrp "ipsecvpn" set psksecret <xxxxxx> set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "toclient" set phase1name "dhcp_vpn" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set dhgrp 5 set dhcp-ipsec enable next end
- Configure the IPsec VPN interface:
- Go to Network > Interfaces and edit the newly created IPsec VPN interface.
- Enable the DHCP Server.
- Expand Advanced and change the Mode to Relay.
- Enter the external DHCP server IP address (
192.168.3.70
). - Change the Type to IPsec.
- Click OK.
- Create a security policy for access to the local network:
- Go to Policy & Objects > IPv4 Policy > Create New.
- Configure the following parameters:
- Set the Incoming Interface to the tunnel interface created in step 3 (dhcp_vpn).
- Set the Outgoing Interface (internal2).
- Set the Source to the IPsec VPN client range defined in step 2 (ipsecvpn_range).
- Set the Destination to the subnet address defined in step 2 (Local LAN).
- Set the Service to ALL.
- Click OK.
- Configure FortiClient:
- In FortiClient, go to REMOTE ACCESS > Add a new connection.
- Configure the following parameters:
- Set the VPN type to IPsec VPN.
- Enter a connection name.
- Set the Remote Gateway to the FortiGate external IP address.
- Set the Authentication Method to Pre-shared key and enter the key below.
- Expand the Advanced Settings > VPN Settings and for Options, select DHCP over IPsec.
- Click Save.
- Select the new connection, and enter the user name and password.
- Click Connect.
Once the connection is established, the external DHCP server assigns the user an IP address and FortiClient displays the connection status, including the IP address, connection duration, and bytes sent and received.
Verification
- In FortiOS, go to Monitor > IPsec Monitor and verify that the tunnel Status is Up.
- Go to Log & Report > Forward Traffic and verify the Sent / Received column displays the traffic flow through the tunnel.