FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191948

This article describes how to reserve a virtual ip address assignment for IPSec VPN client based on authenticated user and how to setup a FortiGate unit to work with RADIUS server to pass RADIUS assigned virtual ip address to ipsec vpn client based on the user authenticated.

Fortigate 4.0
FortiClient, or ipsec client supports xauth and DHCP-IPSec.

During RADIUS authentication, the FortiGate unit will look for the 'Framed-IP-Address' attribute (RFC 2865, section 5.8) in the Access-Accept packet. When this attribute is present and the FortiGate unit is configured to use it, it will be given back to the client through IPsec, SSL-VPN and PPTP.

This is only supported in FortiOS 4.0 and higher.

For Example:



  • Client PC establishes a VPN tunnel to the FortiGate unit. 
  • The FortiGate unit is setup to send authentication request forwarded to a RADIUS server.
  • If authentication is successful, RADIUS server sends Access Accept packets with the RADIUS attribute of Framed-IP-Address (the IP address assigned/reserved for the user.) back to the FortiGate unit.
  • The Client requests an IP address over DHCP-IPsec.
  • The FortiGate unit passes the address received from the RADIUS server to the client over DHCP-IPsec.
  • In this example port2 is the external port facing the client, and port5 is the interface facing the internal subnet.


  • A FortiGate unit running FortiOS 4.0 or higher
  • The FortiGate unit is connected to internet
  • The FortiGate unit can reach the RADIUS server
  • The RADIUS server is properly setup and has the correct Framed-IP-Address setup for users, so that the  RADIUS server will send Framed-IP-Address associated with the user in access accept packet.
  • As there are all kinds of RADIUS servers available, Fortinet is not responsible for the setup of the RADIUS server. 

The following is a simple example of a user setup for FreeRadius:

fortinettest    Auth-Type := CHAP, User-Password == "fortinet"
        Service-Type = Framed-User,
        Session-Timeout = 180,
        Idle-Timeout = 120,
        Framed-IP-Address =,

FortiGate Configuration:

In this example we used route based (aka. interface mode)

Config RADIUS profile and user group:

config user radius
    edit "RADIUS"
        set nas-ip
        set secret ENC t8JMeRJkFjDf
        set server ""

config user group
    edit "RADIUS-Client"
            set member "RADIUS"            

Setup dialup ipsec vpn

config vpn ipsec phase1-interface
    edit "Radius-test"
        set type dynamic
        set interface "port2"
        set proposal 3des-sha1
        set xauthtype pap                 <------ enable xauth
        set psksecret ENC ldspei00
        set authusrgrp "RADIUS-Client"    <------ authenticate by the user group created above
config vpn ipsec phase2-interface
    edit "Radius-test_ph2"
        set add-route enable      <------ Optional
        set phase1name "Radius-test"
        set proposal 3des-sha1
        set dhcp-ipsec enable     <------ enable dhcp over ipsec

Setup DHCP over IPsec:

Setup dhcp server from CLI: In this example, we used "DHCP-radius" as the name,

config system dhcp server
    edit "DHCP-radius"
        set interface Radius-test     <----- DHCP server is bind to the ipsec sub-interface
        set netmask   <-----Netmask must be set to
        set server-type ipsec
        set ip-mode usrgrp

Setup firewall policy:

config firewall policy
    edit 1
        set srcintf "Radius-test"
        set dstintf "port5"
            set srcaddr "forticlient"                  
            set dstaddr "internal subnets"            
        set action accept
        set schedule "always"
            set service "ANY"            
    edit 2
        set srcintf "port5"
        set dstintf "Radius-test"
            set srcaddr "internal subnets"            
            set dstaddr "forticlient"            
        set action accept
        set schedule "always"
            set service "ANY"            

FortiClient setup:

This setup is transparent to FortiClient. The FortiClient setup is the same as usual client setup with xauthentication enabled and accquire virtual ip address via DHCP over IPsec.