Staff

Technical Tip: Role of DHCP relay source-IP on IPSEC with external DHCP server

Forum|Forum|6 months ago
November 26, 2025
0 replies
513 views

Description

This article explains how adding source-ip can resolve the problem when a remote FortiClient user's IP address cannot be assigned via external DHCP.

Scope

FortiGate.

Solution

Topology:

10.47.5.0/20 -> WAN.
10.160.0.0/20 -> DMZ (where the DHCP Server sits).
10.200.0.0/20 -> LAN.
172.18.72.0/24 -> IPSec users' IP.

The DHCP relay uses the dhcp-relay-source-ip to determine its source IP address. This IP address identifies the source of DHCP requests that are forwarded to the DHCP server. It assists the DHCP server in determining the most appropriate IP address range to assign to clients. If the tunnel interface is unavailable, this may be used as a loopback interface.

Sample configuration:

config system interface
edit "dhcp_vpn" --> Remote dialup tunnel interface.
set vdom "root"
set dhcp-relay-service enable
set ip 172.18.72.253 255.255.255.255
set type tunnel
set remote-ip 172.18.72.253 255.255.255.0
set dhcp-relay-ip "10.160.3.114"
set dhcp-relay-source-ip 10.160.5.63 --> The IP assigned on FortiGate DMZ interface.
set dhcp-relay-type ipsec
set interface "port1"
next
end

Related articles:

Technical Tip: Unable to get IP from external DHCP server for IPSec user

Technical Tip: IPsec VPN client with DHCP-relay for external DHCP service use loopback IP address

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded