Technical Tip: IPsec VPN client with DHCP-relay for external DHCP service destined to VPN client
Description
This article provides the commands to configure DHCP relay, IPsec tunnel, and firewall policies.
Scope
FortiGate.
Solution
Note: 'DHCP over IPsec' option is not supported for IKEv2.
IPsec VPN client settings:
CLI configuration:
config system interface
edit "ClientTunnel" <-- VPN Client settings.
set vdom "root"
set dhcp-relay-service enable
set ip 10.200.68.196 255.255.255.255 <-- An IP address within the DHCP network.
set type tunnel
set remote-ip 10.200.68.196
set snmp-index 15
set dhcp-relay-ip "10.68.1.117"
set dhcp-relay-type ipsec
set interface "port2"
next
end
config firewall address
edit "dhcpforIPsecClient_range"
set uuid f1904504-aff6-51e6-413f-199821d9d1b2
set type iprange
set comment "VPN: ClientTunnel (Created by VPN wizard)"
set start-ip 10.200.68.233
set end-ip 10.200.68.234
next
config vpn ipsec phase1-interface
edit "ClientTunnel"
set type dynamic
set interface "port2"
set mode aggressive
set comments "VPN: ClientTunnel (Created by VPN wizard)"
set wizard-type dialup-forticlient
set psksecret ENC N98HrU+/Tr0q+Gq6H
next
end
edit "ClientTunnel" <-- VPN Client settings.
set vdom "root"
set dhcp-relay-service enable
set ip 10.200.68.196 255.255.255.255 <-- An IP address within the DHCP network.
set type tunnel
set remote-ip 10.200.68.196
set snmp-index 15
set dhcp-relay-ip "10.68.1.117"
set dhcp-relay-type ipsec
set interface "port2"
next
end
config firewall address
edit "dhcpforIPsecClient_range"
set uuid f1904504-aff6-51e6-413f-199821d9d1b2
set type iprange
set comment "VPN: ClientTunnel (Created by VPN wizard)"
set start-ip 10.200.68.233
set end-ip 10.200.68.234
next
config vpn ipsec phase1-interface
edit "ClientTunnel"
set type dynamic
set interface "port2"
set mode aggressive
set comments "VPN: ClientTunnel (Created by VPN wizard)"
set wizard-type dialup-forticlient
set psksecret ENC N98HrU+/Tr0q+Gq6H
next
end
Note: 'set mode-cfg' needs to be disabled in the phase-1 configuration to enable the dhcp-ipsec option in the phase-2 configuration.
config vpn ipsec phase2-interface
edit "ClientTunnel"
set phase1name "ClientTunnel"
set comments "VPN: ClientTunnel (Created by VPN wizard)"
set dhcp-ipsec enable
next
end
config firewall policy
edit 1
set uuid 5ef30dd2-ada1-51e6-3860-47cc8b9be9da
set srcintf "ClientTunnel" <-- Name of the tunnel interface.
set dstintf "port5"
set srcaddr "dhcpforIPsecCLient_range" <-- Address range provided by server.
set dstaddr "vlan68" " <-- Address range of internal network.
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: ClientTunnel (Created by VPN wizard)"
next
edit 2
set uuid f9d26db4-adb2-51e6-b169-40acf1cd2950
set srcintf "port5"
set dstintf "ClientTunnel"
set srcaddr "vlan68"
set dstaddr "dhcpforIPsecCLient_range"
set action accept
set schedule "always"
set service "ALL_ICMP"
set logtraffic all
set comments "allow Private network to initiate traffic towards FortiClients"
next
edit "vlan68"
set uuid 1026f39c-ad99-51e6-6035-19f79428c9cf
set associated-interface "port5"
set subnet 10.68.0.0 255.255.240.0
next
edit "port5"
set vdom "root"
set ip 192.168.1.x 255.255.255.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set snmp-index 4
next
end