Skip to main content
drex018
drex018
New Member
April 22, 2020
Question

IKE Mode Config with DHCP

  • April 22, 2020
  • 3 replies
  • 6720 views

HI All,

 

I'm trying to support a Dialup IPsec clients which requires Mode Config to be enabled, and to use an external DHCP server to provide the dynamic IP address.

 

I've enabled Mode Config and DHCP under the phase1-interface. I've also enabled dhcp-proxy and configured a dhcp-server-ip under 'config system settings' as per the Fortinet documentation.

 

What I'm seeing is the FG is relaying the DHCP discover packet to my DHCP server, however the source IP address of the packet is incorrect. The IP I'm seeing is the FG interface IP from the network where the DHCP is located. What needs to happen is the FG needs to relay and use a source IP address from the VPN address pool/range or the IP on of the VPN interface, so that the DHCP server can know which IP range to use for this client.

 

I've tried setting a static IP on the VPN interface but didn't work either. Is there a way to control which source IP address the FG uses when it relays the DHCP discover (when Mode Config with DHCP is used)?

 

Thanks in advance

3 replies

emnoc
emnoc
New Member
April 22, 2020

Can you use a dhcp relay agent and id for this ? What does the dhcp-server support?

 

Ken Felix

 

drex018
drex018Author
New Member
April 22, 2020

The DHCP is the latest Windows Server and I can see it does support relay agent ID policies, so that could work.

 

However another issue I'm seeing now is that when the Fortigate relays the DHCP discover it's putting it's own interface MAC address as the 'Client MAC address' in the DHCP packet, instead of the VPN client. The idea behind this was to setup static MAC to IP reservations on the DHCP server for VPN clients so that certain clients would always get the same IP address.

AlexL
AlexL
New Member
April 23, 2020

Hi,

 

This is a known issue. Only in FortiOS 6.4 was it added the ability to specify an IP address as a DHCP helper, so that the DHCP server returned addresses from the specified range.

https://docs.fortinet.com/document/fortigate/6.4.0/new-features/85896/support-defining-gateway-ip-addresses-in-ipsec-with-mode-config-and-dhcp

pic
pic
New Member
January 7, 2022

The solution is to use the following option to tell the vpn the ip of the interface.
set dhcp-ra-giaddr 10.200.2.1

However, it seems not possible to make ip reservations on the DHCP server because the identifiers are of type "6869" and not 00: 37: 6C: E2: EB: 62.

Do you have a solution for this?

pic
pic
New Member
January 7, 2022
In IKEv2 the DHCP is sourced by the FortiGate and answered to the FortiGate only. FortiGate will assign the DHCP address via Mode config to the end user.
As FortiGate as source is using always the same MAC address as identifier, the FortiGate will use the option 61, Client Identifier as the exact username.
 
This implies, that this is only possible to assign an IP from the DHCP server by username.
If there are two times the same username on two different devices, expect to receive the same IP on both units, as the identifier is the same.
This will on be visible in the hexdump of the packet.
Option: (61) Client identifier
    Length: 7
    Terms & ConditionsAccessibility statement