Scenario:

Branch office users want to obtain IP addresses from a central DHCP server located in the Hub over an existing IPsec Site-to-Site VPN tunnel.

1. The DHCP client is connected to the 'internal' Hardware Switch (on the FortiGate-80F - branch office firewall). The 'internal' interface on the Branch FortiGate is configured with 10.0.0.1/24 statically. Since the first DHCP DISCOVER broadcast message hits this interface, the DHCP Relay is to be configured here:

config system interface
    edit "internal"
        set vdom "Home-Lab"
        set dhcp-relay-service enable
        set ip 10.0.0.1 255.255.255.0
        set allowaccess ping https ssh fabric
        set type hard-switch
        set stp enable
        set role lan
        set dhcp-relay-ip "10.2.2.2"
    next
end

Important note: 

It is a general notion to use 'set dhcp-relay-type ipsec'. However, it is not used in this scenario. It is used to assign IP addresses to a Remote Access VPN client. Use the default 'set dhcp-relay-type regular' here.

2. There is a site-to-site IPsec VPN tunnel between the Branch and Hub FortiGates. A branch typically has a dynamic public IP. Hence, the Dial-up User style of Site-to-Site VPN configuration is used.

config vpn ipsec phase1-interface
    edit "Branch-to-Hub"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes256gcm-prfsha256
        set localid "branch1"
        set dhgrp 31
        set nattraversal disable
        set remote-gw 192.168.1.4
        set psksecret 1234567890
    next
end

Note:

In IKEv1, use 'Aggressive mode' so that different branch FortiGates with dynamic IP addresses can connect to the Hub. Each branch FortiGate will use a unique 'Local ID' value (here 'branch1').

config vpn ipsec phase2-interface
    edit "Branch-to-Hub"
        set phase1name "Branch-to-Hub"
        set proposal aes256gcm
        set dhgrp 31
        set auto-negotiate enable
    next
end

3. For routing traffic via the VPN tunnel, Hub subnet(s) (10.2.2.0/24) should be routed via the tunnel:

config router static
    edit 1
        set dst 10.2.2.0 255.255.255.0
        set distance 4
        set device "Branch-to-Hub"
    next
end

4. For the Branch FortiGate, two firewall policies are required: one for inbound, the other for outbound.

config firewall policy
    edit 10
        set name "lan-to-vpn"
        set srcintf "internal"
        set dstintf "Branch-to-Hub"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 11
        set name "vpn-to-lan"
        set srcintf "Branch-to-Hub"
        set dstintf "internal"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments " (Reverse of lan-to-vpn)"
    next

end

Configuration on the Branch FortiGate is complete.

Hub config:

5. IPsec VPN tunnel configuration on the Hub:

    

config vpn ipsec phase1-interface
    edit "hub-to-spokes"
        set type dynamic
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes256gcm-prfsha256
        set dpd on-idle
        set dhgrp 31
        set nattraversal disable
        set psksecret 1234567890
        set dpd-retryinterval 60
   next
end

config vpn ipsec phase2-interface
    edit "hub-to-spokes-P2"
        set phase1name "hub-to-spokes"
        set proposal aes256gcm
        set dhgrp 31
    next
end

6. Static Routes: Since 0.0.0.0/0.0.0.0 is used in Phase II configuration, static routes are not created automatically on the hub. Hence, create them manually. 10.0.0.0/24 is the LAN subnet of the branch:

    

config router static
    edit 1
        set dst 10.0.0.0 255.255.255.0
        set distance 4
        set device "hub-to-spokes"
    next

end

7. Like Branch, two firewall policies are required to allow VPN traffic:

    

config firewall policy
    edit 1
        set name "lan-to-vpn"
        set srcintf "port1"
        set dstintf "hub-to-spokes"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "vpn-to-lan"
        set srcintf "hub-to-spokes"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments " (Reverse of lan-to-vpn)"
    next

end

Here, wider firewall policies are used, which allow all kinds of traffic, including DHCP. It is recommended to make it more restrictive, but make sure necessary services are allowed e.g., UDP 68 and UDP 67 are required to pass DHCP traffic.

Ensure that the DHCP Server is configured properly. The DHCP server running 10.2.2.2/24 IP address should have a scope for the Branch FortiGate. The scope should be, for example, 10.0.0.50 to 10.0.0.60 with 255.255.255.0 subnet mask and 10.0.0.1 as the router IP address (default gateway).

Use the following commands for troubleshooting:

diagnose debug reset
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application dhcprelay -1

Sample DHCP relay debug output on the Branch:

2025-07-17 16:08:21 (xid:999646b2) received request message from 0.0.0.0:68 to 255.255.255.255 at internal
2025-07-17 16:08:21 (xid:999646b2) got a DHCPREQUEST
2025-07-17 16:08:21 (xid:999646b2) Warning! can't get server id from client message
2025-07-17 16:08:21 Insert option(82), len(7)
2025-07-17 16:08:21 (xid:999646b2) forwarding dhcp request from 10.0.0.1:67 to 10.2.2.2:67
2025-07-17 16:08:21 (xid:0ce4f1b4) received request message from 0.0.0.0:68 to 255.255.255.255 at internal
2025-07-17 16:08:21 (xid:0ce4f1b4) got a DHCPREQUEST
2025-07-17 16:08:21 (xid:0ce4f1b4) Warning! can't get server id from client message
2025-07-17 16:08:21 Insert option(82), len(7)
2025-07-17 16:08:21 (xid:0ce4f1b4) forwarding dhcp request from 10.0.0.1:67 to 10.2.2.2:67
2025-07-17 16:08:21 (xid:0ce4f1b4) received request message from 10.0.254.20:67 to 10.0.1.254 at Branch-to-Hub
2025-07-17 16:08:21 (xid:0ce4f1b4) got a DHCPACK
2025-07-17 16:08:21 (xid:0ce4f1b4) from server 10.2.2.2
2025-07-17 16:08:21 (xid:0ce4f1b4) Send unicast to client, devidx 4 ip 10.0.0.50 mac xx:xx:xx:xx:xx

Run a sniffer command in another window:

diagnose sniffer packet any 'port 68 or port 67' 4 0 l

Sample debug/sniffer output on the Branch:

2025-04-08 09:40:19.013329 internal in 0.0.0.0.68 -> 255.255.255.255.67: udp 300
2025-04-08 09:40:19.017436 internal out 10.0.0.1.67 -> 255.255.255.255.68: udp 297

Sample debug/sniffer output on the Hub:

2025-04-08 09:40:19.731312 hub-to-spokes in 10.0.0.1.67 -> 10.2.2.2.67: udp 305
2025-04-08 09:40:19.731340 port1 out 10.0.0.1.67 -> 10.2.2.2.67: udp 305
2025-04-08 09:40:19.734081 port1 in 10.2.2.2.67 -> 10.0.0.1.67: udp 309
2025-04-08 09:40:19.734097 hub-to-spokes out 10.2.2.2.67 -> 10.0.0.1.67: udp 309

Related article:

Technical Tip: Diagnosing DHCP on a FortiGate