Skip to main content
ChrisTan
Staff
ChrisTan
Staff
August 25, 2025

Technical Tip: IPsec VPN client with DHCP-relay for external DHCP service use loopback IP address

  • August 25, 2025
  • 0 replies
  • 1561 views
Description This article provides an option to use a loopback IP for the DHCP-relay source IP.
Scope FortiGate.
Solution

FortiGate allows an external DHCP server to assign IP addresses to the IPsec VPN clients. This is typically found in enterprises where all DHCP leases must be managed centrally.

 

yoda-kvm20 (P1) # show
    config vpn ipsec phase1-interface
        edit "P1"
            set type dynamic
            set interface "port1"
            set mode aggressive
            set peertype any
            set net-device enable
            set proposal aes256-sha256 aes256-sha384
            set dpd on-idle
            set comments "IPSec Dialup Phase1"
            set dhgrp 20
            set xauthtype auto
            set authusrgrp "VPNUsers"
            set psksecret ENC ****

            set dpd-retryinterval 10
        next
    end

 

yoda-kvm20 (P2) # show
    config vpn ipsec phase2-interface
        edit "P2"
            set phase1name "P1"
            set proposal aes256-sha256 aes256-sha384
            set dhgrp 20
            set comments "IPSec Dialup Phase2"
            set dhcp-ipsec enable  <----- Enable DHCP assignment in phase2-interface.
        next
    end

 

On the interface facing the DHCP server, DHCP relay is enabled. It also needs a source IP address to identify the IP address range to be assigned from the DHCP server:

 

edit "lo-FC-RA-P1"
    set vdom "root"
    set ip 10.253.0.1 255.255.255.255
    set type loopback
    set snmp-index 15
next

 

edit "FC-RA-P1"
    set vdom "root"
    set dhcp-relay-interface-select-method specify
    set dhcp-relay-interface "port2"
    set dhcp-relay-service enable
    set type tunnel
    set snmp-index 16
    set dhcp-relay-ip "10.167.1.172"     <-----------
    set dhcp-relay-source-ip 10.253.0.1  <-----------
    set dhcp-relay-circuit-id "FC-RA-P1"
    set dhcp-relay-type ipsec
    set interface "port1"
next

 

The 'dhcp-relay-source-ip' can be a loopback interface if the tunnel interface is not available.

 

2025-08-21_10h45_29.png

 

The DHCP server, for example, the Windows DHCP server, will reply from the IP pool, according to the loopback IP address range.
    Terms & ConditionsAccessibility statement