New Contributor II

Question

IPSec VPN dhcp problem

Forum|Forum|18 years ago
October 25, 2007
8 replies
5048 views

Hi all, I' ve setup a fortigate 60A to use dial-up client vpn through VIP address. The setting is like this: OS Version: 3.0 WAN IP: 111.222.333.444 Fortigate 60A Internal IP: 131.107.22.1 INTERNAL SUBNET: 131.107.22.0/32 VIP SUBNET Assign to VPN: 10.10.200.0 I can connect to the VPN tunnel, but cannot get the IP address. The log on Forticlient show an error [status=negotiate_error msg=" Failed to acquire an IP address" ] I' m using the fortigate to be DHCP server, and added the DHCP Server record already. Here is my questions: 1. How can I solve this problem? 2. Actually i' m not sure about how to add the DHCP Server. According to the manual, i added a record of type" IPSec" , ip range 10.10.200.2-250 on WAN port. But i don' t sure about the default gateway. should i use 131.107.22.1 or another one?

A

Anonymous_UserAuthor

New Contributor II

on what interface you applied the DHCP server?

A

Anonymous_UserAuthor

New Contributor II

i added the DHCP server on WAN port

A

Anonymous_UserAuthor

New Contributor II

hi dorayaki,

I' m using the fortigate to be DHCP server, and added the DHCP Server record already.

you cant do that , you need to configure the fortinet as an IPSEC DHCP relay , and you need a DHCP server in your internal network. the fortinet cant be the dhcp server in an IPSEC vpn . second thing to do , is to add a rule to allow IPSEC clients to get ip adress from you dhcp server before the main ipsec rule , like this :

  config firewall policy      edit 22          set srcintf " internal"           set dstintf " wan1"               set srcaddr " DHCP_SERVER"               set dstaddr " all"           set action ipsec          set schedule " always"               set service " DHCP"           set inbound enable          set outbound enable          set vpntunnel " YOUR_VPN_NAME"       next  end

i hope it helps .

abelio

SuperUser

you cant do that , you need to configure the fortinet as an IPSEC DHCP relay , and you need a DHCP server in your internal network. the fortinet cant be the dhcp server in an IPSEC vpn .

That' s not true; IPSec DHCP server is available for Policy or Tunnel Mode IPSec VPNs; (it is not for route/interface mode ones nevertheless)

A

Anonymous_UserAuthor

New Contributor II

I' ll use my internal DHCP server instead, but still confuse why is it necessary. I prefer use my fortigate to do that...... Anyway, thank you for you reply.

A

Anonymous_UserAuthor

New Contributor II

You should assign DHCP server on your WAN interface System>DHCP> choose your WAN interface and then choose " Servers" , don' t choose " Relay" . then " edit" and thick " enable" and choose Type > " IPSEC" and then you add an IP range of your IPSEC' s address. Don' t forget to click " Advanced" in order to put your internal DNS. This DHCP configuration is working on my FG. Let me know if this solve your problem.

A

Anonymous_UserAuthor

New Contributor II

I also do this before, but i don' t know what should i enter in the " Default Gateway" For example, my internal subnet is 192.168.0.0, and the subnet assigned to VPN clients is 192.168.1.0. The internal IP of the fortigate is 192.168.0.1. Since it doesn' t have an IP on range 192.168.1.x, can i use 192.168.0.1 to be the " Default Gateway" on the DHCP server setting? Or use another method like static route?

A

Anonymous_UserAuthor

New Contributor II

Just use IP in subnet 192.168.1.0 to assign your default GW and don' t forget to specified source and destination address in our forewall policy. And put this policy on top other policies.

A

Anonymous_UserAuthor

New Contributor II

However, i don' t have any ip address on subnet 192.168.1.0 because it is a subnet for VPN only. If i want to use the fortigate as the DHCP server and it' s own private is 192.168.0.1, how can i use an ip on subnet 192.168.1.0 to be the default gateway?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded