Technical Tip: DHCP server IP is added to the routing table when connected to SSL VPN full tunnel

amrit · ‎10-21-2024

Description

This article describes why the local adapter's DHCP server IP is added to the routing table when the user is connected to the SSL VPN full tunnel.

Scope

FortiGate.

Solution

Local adapter configuration:

C:\Users\Fortinet>ipconfig /all

Ethernet adapter Ethernet 4:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter #4
Physical Address. . . . . . . . . : 00-41-74-6C-48-01
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::dfec:2dbd:888a:7552%16(Preferred)
IPv4 Address. . . . . . . . . . . : 10.100.200.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, October 12, 2024 5:51:36 PM
Lease Expires . . . . . . . . . . : Saturday, October 26, 2024 9:03:26 PM
Default Gateway . . . . . . . . . : 10.100.200.1
DHCP Server . . . . . . . . . . . : 192.168.11.1
DHCPv6 IAID . . . . . . . . . . . : 151011700
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2A-87-3D-66-00-41-72-74-2E-01
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled

Routing table when VPN is not connected:

C:\Users\Fortinet>route print

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.100.200.1 10.100.200.23 35
10.100.200.0 255.255.255.0 On-link 10.100.200.23 291
10.100.200.23 255.255.255.255 On-link 10.100.200.23 291
10.100.200.255 255.255.255.255 On-link 10.100.200.23 291

After SSL VPN full tunnel is connected:

C:\Users\Fortinet>ipconfig /all

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Fortinet SSL VPN Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 00-09-0F-AA-00-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::fecd:abd8:4c4b:aa5d%22(Preferred)
IPv4 Address. . . . . . . . . . . : 10.212.134.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.212.134.101
DHCPv6 IAID . . . . . . . . . . . : 1577060623
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2A-17-6B-23-6C-24-08-48-F3-90
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled

Routing table when VPN is connected:

C:\Users\Fortinet>route print

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.100.200.1 10.100.200.23 35
0.0.0.0 0.0.0.0 10.212.134.101 10.212.134.100 1
192.168.11.1 255.255.255.255 10.100.200.1 10.100.200.23 35
10.212.134.100 255.255.255.255 On-link 10.212.134.100 257

This is an expected behavior. When the SSL VPN full tunnel is connected a route to the local DHCP server is necessary for the local adapter to communicate with it. The problem arises when it is required to route the same IP over the VPN tunnel.

For example, If one is connected to the office WiFi/LAN network and the DHCP server IP is also a domain controller it needs to be accessed via VPN. In such cases, it is mandatory to have a separate server IP on the local network.