Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sselvam
Staff
Staff

Created on ‎04-16-2020 07:02 AM Edited on ‎12-10-2025 07:22 AM By Community Manager

Article Id 192740

Technical Tip: DHCP IP address reservation with Dial up IPsec VPN with IKEv1

Description This article describes the steps to create a DHCP IP address reservation with a Dial-up IPsec VPN with IKEv1.
Scope FortiGate.
Solution

GUI configuration.

  1. In this example, the Dial-up tunnel has been created previously via the IPSec Wizard.
  2. Enable the DHCP Server in the tunnel interface. Go to: Network -> Interfaces -> Edit the tunnel interface

 

Apply the following settings:
IP: 172.16.1.100.
Remote IP/Netmask: 172.16.1.100 255.255.255.0. Enable the DHCP Server option.
Address range: 172.16.1.1-172.16.1.20.
Netmask: 255.255.255.0.

 

image.png

 

  1. Expand the 'Advanced' section; select 'Type IPsec'. Go to 'IP Address Assignment Rules' and select 'Create New'.

 

01.png

 

  1. Add the following settings and select OK:
  • Type: MAC Address.
  • MAC address: Add the MAC address of the client's physical interface.
  • Action Type: Reserve IP.
  • IP: Any IP from the DHCP Address Range.

image.png

 

Note:

The MAC address should be the local adapter, i.e., Ethernet/WiFi, not the Fortinet SSL VPN Virtual Adapter.

 

5. Select OK on the following screen:

 

image.png

 

  1. Disable the 'Mode Config' option in the IPsec phase 1 settings:
 02.png

 

  1. Enable DHCP over IPsec in the VPN phase 2 via the CLI.


config vpn ipsec phase2-interface
    edit "FC1
        set phase1name "FC1"
        set comments "VPN: FC1 (Created by VPN wizard)"
        set dhcp-ipsec enable
    next
end

 

  1. Enable DHCP over IPsec in the FortiClient advanced settings section.

Note: This is a legacy option, works with IKEv1 only.
                                                              

03.png

 

Note:

Select the 'Enable IPv4 Split Tunnel' to forward to the tunnel just the traffic to the desired networks. If this option remains disabled, all the client host traffic will be forwarded through the tunnel.

 
image.png

 

CLI configuration.
  1. To configure the DHCP server on the IPsec client interface:


config system dhcp server
    edit 3
        set dns-service default
        set default-gateway 172.16.1.100
        set netmask 255.255.255.0
        set interface "FC1"
            config ip-range
                edit 1
                    set start-ip 172.16.1.1
                    set end-ip 172.16.1.20
                next
            end
        set server-type ipsec
            config reserved-address
                edit 1
                    set ip 172.16.1.1
                    set mac 00:0c:29:17:70:98
                next
            end
        next
    end

 

  1. Disable 'Mode Config' in the VPN configuration.

 

config vpn ipsec phase1-interface
    edit FC1
        set mode-cfg disable

    next
end

 

  1. Enable DHCP over IPsec in the VPN phase 2.

 

config vpn ipsec phase2-interface
    edit "FC1"
        set phase1name "FC1"
        set dhcp-ipsec enable
    next
end

 

Results:

The reserved IP address will be assigned to the client host that matches the MAC address provided.

 

Note:

When mode-cfg is disabled, the split tunneling will not work since 'ipv4-split-include' will be unavailable.

 

Technical update:

Do not use the IP address assigned by the Wizard to prevent errors. 

 

For IKEv2 configuration examples, refer to the following articles:

Technical Tip: IPsec IKEv2 with mode-config and DHCP using the gateway IP address 

Technical Tip: How to configure IPsec dialup VPN using ikev2 with DHCP proxy 

Technical Tip: IPsec VPN IKEv2 full tunnel with FortiGate as the DHCP Server using VDOM Links 

 

Related articles:

Technical Tip: Diagnosing DHCP on a FortiGate

Technical Note: DHCP IP address reservation with Dial up IPsec VPN

Technical Tip: DHCP IP address configuration with Dial up IPsec VPN under VPN tunnel
Troubleshooting Tip: DHCP server over IPsec VPN Dial Up is not working and FortiGate does not forwar...
Labels:
31583
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.