Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Francesko
Staff
Staff

Created on ‎05-26-2025 02:56 AM Edited on ‎05-26-2025 02:56 AM By Moderator

Article Id 393411

Technical Tip: Configure reserved IPs for IKEv2 Dialup IPsec clients using an external DHCP Server and Username as the identifier

Description This article describes the steps to configure and bind a static IP address to a designated username in an IKEv2 dialup IPsec scenario by using an external DHCP Server and FortiClient.
Scope FortiGate, FortiClient.
Solution

In certain scenarios, a specific Dialup IPsec client must receive a designated IP address from an external DHCP server. To accomplish this, DHCP Option 61 (Client Identifier) can be used, serving as the key identifier for binding the client to a static IP address.

 

Basic requirements for proper functionality:

  1. The DHCP proxy must be enabled on the FortiGate device.
  2. The DHCP server must know how to route back to the IP address specified in the FortiGate's 'dhcp-ra-giaddr' setting.

 

Note:
The dhcp-proxy option enables DHCP proxy functionality on the FortiGate for remote-access VPNs such as dial-up IPsec and SSL VPNs that use DHCP-based address allocation.

 

DiagramDiagram

 

Step 1: Enable the DHCP Proxy Feature on FortiGate:

 

config system settings
    set dhcp-proxy enable
    set dhcp-server-ip "172.16.40.100"
end

 

Step 2: Configure the Dialup IPsec Phase 1 and Phase 2 Interfaces:

 

config vpn ipsec phase1-interface
    edit "TestIKEv2"
        set type dynamic
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha1 aes256-sha256
        set dpd on-idle
        set dhgrp 20
        set eap enable
        set eap-identity send-request
        set assign-ip-from dhcp
        set dhcp-ra-giaddr 192.168.150.1
        set dns-mode auto
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret fortinet
        set dpd-retryinterval 60
    next
end


config vpn ipsec phase2-interface
    edit "TestIKEv2P2"
        set phase1name "TestIKEv2"
        set proposal aes128-sha1 aes256-sha256
        set dhgrp 20
    next
end

 

Step 3: Assign IP Addresses to the VTI (Virtual Tunnel Interface):

 

config system interface
    edit "TestIKEv2"
        set vdom "root"
        set ip 192.168.150.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 192.168.150.254 255.255.255.0
        set interface "port2"
    next
end

 

Step 4: Configure Users, User Groups, and Firewall Policy:

 

config user local
    edit "fct_client1"
        set type password
        set passwd fortinet
    next
end

 

config user group
    edit "Dialup_GRP"
        set member "fct_client1"
    next
end

 

config firewall policy
    edit 1
        set name "Dialup_to_InternalResource"
        set srcintf "TestIKEv2"
        set dstintf "Internal_Resource"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "Dialup_GRP"
    next

 

Step 5: Configure the FortiClient VPN Profile to Use IKEv2 and "Mode Config" for Address Assignment.

 

Step 6: Create the appropriate DHCP Scope using the IP Range defined in the dhcp-ra-giaddr setting:

Note: Configuring a default gateway for the scope is not required.

 

DHCP Scope OptionsDHCP Scope Options

 

DHCP PoliciesDHCP Policies

 

On a Windows DHCP Server, the Client Identifier (Option 61) must be specified as a HEX value. Therefore, the username used by the client for authentication must be converted to HEX format. This information can be easily obtained by capturing the DHCP Request packet and analyzing it in Wireshark.

 

Important: Ensure that the Client Identifier HEX value includes the type field. Omitting it may cause the DHCP server to bypass the intended policy.

 

Example:

fct_client1 = 6663745F636C69656E7431 in HEX format.

By including the type byte, the HEX value becomes: 006663745F636C69656E7431.

 

DHCP Request PCAPDHCP Request PCAP

 

Alternatively, address reservation can be used, which only requires the HEX-encoded username without the type byte.

 

DHCP ReservationDHCP Reservation

 

Note: When using address reservation, the HEX-encoded username should be entered in the MAC address field.

 

If configured correctly, users authenticating via FortiClient will receive the IP address assigned by the DHCP server.

 

Results.png

 

Steps for Troubleshooting:

 

  1. Verify that DHCP Discover and Offer packets are properly transmitted through the FortiGate:


diagnose sniffer packet any '(host <dhcp_server_IP>) and udp port 67 or udp port 68' 6 0 a

  1. Verify that dhcp-ra-giaddr is set to the correct IP address and that dhcp-proxy is enabled on the FortiGate.

     

Related articles:

Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets  

Troubleshooting Tip: IPsec VPN tunnels  
943
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.