Skip to main content
Cleyton
Cleyton
New Member
March 28, 2019
Question

Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networks

  • March 28, 2019
  • 3 replies
  • 47711 views

I created a route-based ipsec VPN connection (as per https://cookbook.fortinet...pn-two-fortigates-56/) to allow transparent communication between two networks that are located behind two Different FortiGates.

80E FORTIGATE v6.0.4 50E FORTIGATE v6.0.4

Fortigate 80E (HQ) establish an ipsec connection with 50E (Branch). Fortigate 80E WAN 189.XX.XX.XX Lan 192.168.254.109

HQ internal Network 192.168.254.0/24

DHCP Enabled IP Initial IP End 192.168.254.100 192.168.254.254

config vpn ipsec phase1-interface     edit "hq-to-branch"         set interface "wan1"         set peertype any         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         "VPN: hq-to-branch"         set remote-gw 177.XXX.XXX.XXX         set psksecret     next end

config vpn ipsec phase2-interface     edit "hq-to-branch"         set phase1name "hq-to-branch"         set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305         set auto-negotiate enable         "VPN: hq-to-branch"         set src-addr-type name         set dst-addr-type name         set src-name "hq-to-branch_local"         set dst-name "hq-to-branch_remote"     next end

 

--------------------------------//---------------------------------------------

 

FortiGate 50E (Branch) establish an ipsec connection with 80E (HQ). WAN 177.XXX.XXX.XXX LAN 192.168.100.101

DHCP Disabled

Branch Internal Network 192.168.100.0/24

config vpn ipsec phase1-interface     edit "branch-to-hq"         set interface "wan1"         set peertype any         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         "VPN: branch-to-hq"         set remote-gw 189.XX.XX.XX         psksecret set ENC     next end

config vpn ipsec phase2-interface     edit "branch-to-hq"         set phase1name "branch-to-hq"         set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305         set auto-negotiate enable         "VPN: branch-to-hq"         set src-addr-type name         set dst-addr-type name         set src-name "branch-to-hq_local"         set dst-name "branch-to-hq_remote"     next end

Users on the HQ's internal network can access resources in the branch's internal network and vice versa. But I want the HQ DHCP to assign ip addresses to the branch network that is in another subnet. Would it be possible?

3 replies

rwpatterson
rwpatterson
New Member
March 28, 2019

You would need to place a DHCP helper on the LAN port of the remote site(s). This would intercept DHCP packets and forward them to the designated server(s) anywhere that traffic is permitted. I believe this is an option from the GUI.

Cleyton
CleytonAuthor
New Member
March 28, 2019

Dear Bob would this DHCO helper work on the LAN port? How do I do this? could you explain better?

rwpatterson
rwpatterson
New Member
March 28, 2019

Can't paste an image...

Cleyton
CleytonAuthor
New Member
March 29, 2019

ede_pfau I checked "regular" DHCP Relay option, but it did not work, I'm wondering if the DHCP relay agent actually works in FortiGate, remembering that in my scenario, I have an IPsec VPN connection between doid fortigate (fortigate 80E and Fortigate 50E). Fortigate 80E is enabled with DHCP Fortigate 50E is enabled with DHCP relay agent on the LAN interface As attached image in post

Jirka1
Jirka1
Explorer II
March 29, 2019

Hello Cleyton,

i think it can't work. You cannot assign an IP address from the HQ LAN range to the Branch LAN range. They are completely different networks. DHCP Relay works by sending IP address allocation queries from the range assigned to the interface. DHCP Relay works very well. We have built 13 branches. You can even enter multiple DHCP servers (we use DHCP on Windows Server and clustering).

 

Jirka

rwpatterson
rwpatterson
New Member
April 1, 2019

If the DHCP server (at HQ) is configured with a subnet for the remote network, it will work without issue. The relay agent takes care of the magic in the back end.

Cleyton
CleytonAuthor
New Member
April 1, 2019

In this case, in order for my HQ DHCP to assign ip to Branch, do they have to put Branch in the same HQ network range? In the current IPsec VPN configuration, the two fortigate subnetwork has different, as in the images sent before, have to redo my current VPN configuration and reconfigure created subnets overlapping? according to this tutorial: https://cookbook.fortinet...n-overlapping-subnets/

Jirka1
Jirka1
Explorer II
April 1, 2019

Cleyton wrote:

In this case, in order for my HQ DHCP to assign ip to Branch, do they have to put Branch in the same HQ network range? In the current IPsec VPN configuration, the two fortigate subnetwork has different, as in the images sent before, have to redo my current VPN configuration and reconfigure created subnets overlapping? according to this tutorial: https://cookbook.fortinet...n-overlapping-subnets/

Hi Cleyton,

if you want a branch to have the same address range as the HQ I recommend using VXLAN: https://cookbook.fortinet.com/vxlan-over-ipsec-using-vtep-60/

 

Jirka

Terms & ConditionsAccessibility statement