FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sselvam
Staff
Staff
Article Id 192740
Description This article describes the steps to create a DHCP IP address reservation with Dial-up IPsec VPN.
Scope FortiGate.
Solution

GUI configuration.

  1. In this example, the Dial-up tunnel has been created previously via IPSec Wizard.
  2. Enable DHCP Server in the tunnel interface. Go to: Network -> Interfaces -> Edit the Interface tunnel

Apply the following settings:
IP: 172.16.1.100.
Remote IP/Netmask: 172.16.1.100 255.255.255.0.
Enable the DHCP Server option.
Address range: 172.16.1.1-172.16.1.20.
Netmask: 255.255.255.0.

 

image.png

 

  1. Expand the 'Advanced' section; select 'Type IPsec'. Go to 'IP Address Assignment Rules' and select 'Create New'.

 

01.png

 

  1. Add the following settings and select OK:

 

  • Type: MAC Address.
  • MAC address: Add the MAC address of the client's physical interface.
  • Action Type: Reserve IP.
  • IP: Any IP from the DCHP Address Range.

image.png

 

Note:

The MAC address should be the local adapter i.e. Ethernet/WiFi, not the Fortinet SSL VPN Virtual Adapter.

 

5. Select OK on the following screen:

 

image.png

 

  1. Disable the 'Mode Config' option in the IPsec phase 1 settings:
 02.png

 

  1. Enable DHCP over IPsec in the VPN phase 2 via the CLI.


config vpn ipsec phase2-interface

    edit "FC1
        set phase1name "FC1"
        set comments "VPN: FC1 (Created by VPN wizard)"
        set dhcp-ipsec enable
    next
end

 

  1. Enable DHCP over IPsec in the FortiClient advanced settings section:
                                                                  

03.png

 

Note: Select the 'Enable IPv4 Split Tunnel' to forward to the tunnel just the traffic to the desired networks. If this option remains disabled, all the client host traffic will be forwarded through the tunnel.

 
image.png

 

CLI configuration.
 
  1. To configure the DHCP server on the IPsec client interface:


config system dhcp server

    edit 3
        set dns-service default
        set default-gateway 172.16.1.100
        set netmask 255.255.255.0
        set interface "FC1"
            config ip-range
                edit 1
                    set start-ip 172.16.1.1
                    set end-ip 172.16.1.20
                next
            end
        set server-type ipsec
            config reserved-address
                edit 1
                    set ip 172.16.1.1
                    set mac 00:0c:29:17:70:98
                next
            end
        next
    end

 

  1. Disable 'Mode Config' in the VPN configuration.

 

config vpn ipsec phase1-interface
    edit FC1
        set mode-cfg disable

    next
end

 

  1. Enable DHCP over IPsec in the VPN phase 2.

 

config vpn ipsec phase2-interface
    edit "FC1"
        set phase1name "FC1"
        set dhcp-ipsec enable
    next
end

 

Results:

The reserved IP address will be assigned to the client host that matches the MAC address informed.

 

Note:

When mode-cfg is disabled, the split tunneling will not work since 'ipv4-split-include' will be unavailable.

 

Related articles:

Technical Note: DHCP IP address reservation with Dial up IPsec VPN

Technical Tip: DHCP IP address configuration with Dial up IPsec VPN under VPN tunnel