Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sselvam
Staff
Staff

Created on ‎04-16-2020 07:02 AM Edited on ‎01-20-2025 01:54 AM By Moderator

Article Id 192740

Technical Tip: DHCP IP address reservation with Dial up IPsec VPN

Description This article describes the steps to create a DHCP IP address reservation with Dial-up IPsec VPN.
Scope FortiGate.
Solution

GUI configuration.

  1. In this example, the Dial-up tunnel has been created previously via IPSec Wizard.
  2. Enable DHCP Server in the tunnel interface. Go to: Network -> Interfaces -> Edit the Interface tunnel

Apply the following settings:
IP: 172.16.1.100.
Remote IP/Netmask: 172.16.1.100 255.255.255.0.
Enable the DHCP Server option.
Address range: 172.16.1.1-172.16.1.20.
Netmask: 255.255.255.0.

 

image.png

 

  1. Expand the 'Advanced' section; select 'Type IPsec'. Go to 'IP Address Assignment Rules' and select 'Create New'.

 

01.png

 

  1. Add the following settings and select OK:

 

  • Type: MAC Address.
  • MAC address: Add the MAC address of the client's physical interface.
  • Action Type: Reserve IP.
  • IP: Any IP from the DCHP Address Range.

image.png

 

Note:

The MAC address should be the local adapter i.e. Ethernet/WiFi, not the Fortinet SSL VPN Virtual Adapter.

 

5. Select OK on the following screen:

 

image.png

 

  1. Disable the 'Mode Config' option in the IPsec phase 1 settings:
 02.png

 

  1. Enable DHCP over IPsec in the VPN phase 2 via the CLI.


config vpn ipsec phase2-interface
    edit "FC1
        set phase1name "FC1"
        set comments "VPN: FC1 (Created by VPN wizard)"
        set dhcp-ipsec enable
    next
end

 

  1. Enable DHCP over IPsec in the FortiClient advanced settings section:
                                                                  

03.png

 

Note: Select the 'Enable IPv4 Split Tunnel' to forward to the tunnel just the traffic to the desired networks. If this option remains disabled, all the client host traffic will be forwarded through the tunnel.

 
image.png

 

CLI configuration.
 
  1. To configure the DHCP server on the IPsec client interface:


config system dhcp server
    edit 3
        set dns-service default
        set default-gateway 172.16.1.100
        set netmask 255.255.255.0
        set interface "FC1"
            config ip-range
                edit 1
                    set start-ip 172.16.1.1
                    set end-ip 172.16.1.20
                next
            end
        set server-type ipsec
            config reserved-address
                edit 1
                    set ip 172.16.1.1
                    set mac 00:0c:29:17:70:98
                next
            end
        next
    end

 

  1. Disable 'Mode Config' in the VPN configuration.

 

config vpn ipsec phase1-interface
    edit FC1
        set mode-cfg disable

    next
end

 

  1. Enable DHCP over IPsec in the VPN phase 2.

 

config vpn ipsec phase2-interface
    edit "FC1"
        set phase1name "FC1"
        set dhcp-ipsec enable
    next
end

 

Results:

The reserved IP address will be assigned to the client host that matches the MAC address informed.

 

Note:

When mode-cfg is disabled, the split tunneling will not work since 'ipv4-split-include' will be unavailable.

 

Related articles:

Technical Note: DHCP IP address reservation with Dial up IPsec VPN

Technical Tip: DHCP IP address configuration with Dial up IPsec VPN under VPN tunnel
Labels:
25283
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.