Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sselvam
Staff
Staff

Created on ‎04-16-2020 07:02 AM Edited on ‎10-24-2024 12:10 AM By Community Manager

Article Id 192740

Technical Tip: DHCP IP address reservation with Dial up IPsec VPN

Description

 

This article describes DHCP IP address reservation with Dial-up IPsec VPN.

 

Scope

 

FortiGate.

Solution

 

GUI configuration.

  1. Dial up VPN can be created with the wizard.
  2. Create the DHCP Server. Go to System -> Network -> Interfaces > Interface created by wizardSelect Dial up IPsec tunnel interface from interface wizard.


Assign IP address to the interface:
IP: 172.16.1.100
Remote IP: 172.16.1.100
Enable DHCP Server
Address range: 172.16.1.1- 172.16.1.20
Net mask: 255.255.255.0
IP address Reservation


Add a MAC Reservation + Access Control entry:

MAC: <network card MAC address from you are connecting to the VPN>
IP: <IP address to reserve>
Action: Reserve IP
Type: IPsec

 

 
  1. Disable the mode config on the IPSEC phase 1 settings.
 
 

 
 

In latest version, disable the same only via the CLI is necessary.

 

  1. By CLI enable the DHCP over IPSEC in the VPN phase 2.

 

config vpn ipsec phase2-interface
    edit "FC1
        set phase1name "FC1"
        set comments "VPN: FC1 (Created by VPN wizard)"
        set dhcp-ipsec enable
    next
end

 

  1. Enable DHCP over IPsec in FortiClient.
 
 
 
 
If the firewall is configured with split tunnel enabled, enable the split tunnel on the Forticlient as well is necessary and add the routed subnets manually too.
 
 
 
 
CLI configuration.
 
  1. To configure DHCP server on the IPSEC client interface:

 

config system dhcp server
    edit 3
        set dns-service default
        set default-gateway 172.16.1.100
        set netmask 255.255.255.0
        set interface "FC1"
            # config ip-range
                edit 1
                    set start-ip 172.16.1.1
                    set end-ip 172.16.1.20
                next
            end
                set timezone-option default
                set server-type ipsec
                    # config reserved-address
                        edit 1
                            set ip 172.16.1.1
                            set mac 11:22:33:44:55:66
                next
            end
        next
    end

 

  1. Disable 'Mode Config' in the VPN configuration.

 

config vpn ipsec phase1-interface
    edit FC1
        set mode-cfg disable
end

 

  1. By CLI enable DHCP over IPsec in the VPN phase 2.

 

config vpn ipsec phase2-interface
    edit "FC1"
        set phase1name "FC1"
        set dhcp-ipsec enable
    next
end

 

Verification.
Post that if the user is connecting via the IPSEC VPN reserved IP address will be released whenever connecting.

 

Note:

When mode-cfg is disabled, the split tunneling will not work since 'ipv4-split-include' would be unavailable.

 

Related articles:

Technical Note: DHCP IP address reservation with Dial up IPsec VPN

Technical Tip: DHCP IP address configuration with Dial up IPsec VPN under VPN tunnel

23559
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.