Technical Tip: Configure an IPsec VPN Split tunnel with External DHCP on FortiClient

GUI configuration:

1. In this example, create a dial-up tunnel via the IPsec wizard by selecting 'custom' as the template type.
2. Specify the parameters as shown in the screenshot below:

3. Add the User group under XAUTH settings
4. Make sure to disable ‘Mode Config’ which is present in IPsec Phase 1 settings.

5. Go to the Network -> Interfaces, select the IPsec interface under the assigned WAN connection.

6. Change the addressing mode to manual with IP as 0.0.0.0 and Remote IP/Netmask as 0.0.0.0/0.0.0.0.
7. Enable DHCP server and select advanced settings.
8. Select 'Relay' as the mode, select 'IPsec' as the type, and specify the external DHCP server IP.

9. For the firewall policy, configure a policy from IPsec interface to Internal interface with source as IP range that is reserved on the DHCP server and destination as Internal subnet.
10. On the FortiClient, Enable DHCP over IPsec in the advanced settings section:

11. Enable IPv4 Split tunnel and specify the designated internal network subnet.

12. Save the configuration and login with user credentials.
13. Once connected, the address will get assigned from the external DHCP server.