Technical Tip: How to configure IPsec dialup VPN using ikev2 with DHCP proxy

Anonymous · ‎05-25-2021

Description

This article describes how to assign the client IP address for ikev2 dialup clients using a DHCP proxy.

Scope

FortiGate.

Solution

Enable the global option DHCP proxy and add the DHCP server IP:

config system settings
set dhcp-proxy enable
set dhcp-server-ip "10.220.0.107"
end

Create User group:

show user group
    edit "vpn-usergroup"
        set member "vpn-user"
    next
end

Setup VPN:

config vpn ipsec phase1-interface
    edit "VPN-v2"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set local-gw 10.109.21.41
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set eap enable
        set eap-identity send-request
        set wizard-type dialup-forticlient
        set authusrgrp "vpn-usergroup"
        set assign-ip-from dhcp
set dhcp-ra-giaddr <the gateway IP address (giaddr) can be defined on a DHCP relay agent>
        set dns-mode auto
        set ipv4-split-include "VPN-v2_split"
        set save-password enable
        set psksecret ENC s0I3cSRvAeypQSHwIXZEOoj8Sln1xCG+CbFU/oC75IVGn+nbAdZTUIamZcqhohoFuCcvLHF2KT3htvcEOugblCZnPs/XnewPHTN66Y27Rw0dNH7zphxj1ZIhIEH05OVG6qHOZe9Jo2ZOnuOEWOKs0HuKbGMyYJ4bC0xd7NXG9Tn7bwOk1wYg==
    next
end

config vpn ipsec phase2-interface
    edit "VPN-v2"
        set phase1name "VPN-v2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

Create policies for Internal LAN:

config firewall policy
    edit 1
        set name "vpn_VPN-v2_remote_0"
        set srcintf "VPN-v2"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr ""VPN-v2_split"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
next
end

Configuration on FortiClient is basically as per phase1 and phase2 settings on the FortiGate. Make sure not to use the 'DHCP over IPsec' option.

This is a legacy option, only for use with DHCP relaying with IKEv1. Use the 'Mode config option as defined in the phase1-interface settings (mode-cfg enable).

Verification.

ike 0:9f67930076a4be90/0000000000000000:29: type=DH_GROUP, val=MODP1536.
ike 0:9f67930076a4be90/0000000000000000:29: lifetime=86400
ike 0:9f67930076a4be90/0000000000000000:29: SA proposal chosen, matched gateway VPN-v2
ike 0:VPN-v2: created connection: 0xdad9c10 3 10.109.21.41->10.109.20.72:500.
...
ike 0:VPN-v2:29: send EAP message to FNBAM
ike 0:VPN-v2: EAP 709192309 pending
ike 0:VPN-v2:29 EAP 709192309 result 0
ike 0:VPN-v2: EAP succeeded for user "vpn-user" group "vpn-usergroup" 2FA=no
ike 0:VPN-v2:29: responder preparing EAP pass through message
ike 0:VPN-v2:29: enc 00000008031F00040706050403020107
ike 0:VPN-v2:29: out 9F67930076A4BE90238A05BA09963DD42E202320000000040000005030000034CC263336D17DFE233E0A911999A526E491702666F67AC46FE7141F0D69BB9B1B1F471A98303C89A95EC7BC1DFD03CBF4
ike 0:VPN-v2:29: sent IKE msg (AUTH_RESPONSE): 10.109.21.41:500->10.109.20.72:500, len=80, vrf=0, id=9f67930076a4be90/238a05ba09963dd4:00000004
ike 0: comes 10.109.20.72:500->10.109.21.41:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=AUTH id=9f67930076a4be90/238a05ba09963dd4:00000005 len=112
ike 0: in 9F67930076A4BE90238A05BA09963DD42E2023080000000500000070270000549C9158580F47E9BA156CDFF346807A23F1F367E52035FE7C9CE1867607EFC5C5F66BC4FBC2E1E97E4A79EEC8EBB38010858E0EF2160F64552E8F2BD47DEEF2F13ADAEA5EB6AA4E3BA19B0B14B271CDE2
ike 0:VPN-v2:29: dec 9F67930076A4BE90238A05BA09963DD42E2023080000000500000048270000040000002802000000B35F86693CACBE23BAFE13DBC7DF0E94BA01B37846F2FB84AE8F70C7EB57A820
ike 0:VPN-v2:29: responder received AUTH msg
ike 0:VPN-v2:29: auth verify done
ike 0:VPN-v2:29: responder AUTH continuation
ike 0:VPN-v2:29: authentication succeeded
ike 0:VPN-v2:29: responder creating new child
ike 0:VPN-v2:29: mode-cfg type 7 request 16:'46435438303033313936343233343539'
ike 0:VPN-v2:29: mode-cfg received APPLICATION_VERSION 'FCT8003196423459'
ike 0:VPN-v2:29: mode-cfg type 1 request 0:''
ike 0:VPN-v2:29: IPv4 address requested, using DHCP
ike 0:VPN-v2:29: sending DHCP request
ike 0:39 response IP '10.220.0.128/255.255.255.0'
ike 0:VPN-v2:29: DHCP assigned address 10.220.0.128/255.255.255.0
ike 0:VPN-v2:29: DNS 10.220.0.107

In IKEv1 the DHCP is sourced by the client and relayed by the FortiGate with a configured DHCP relay interface. Reference: IPsec VPN with external DHCP service - FortiGate administration guide.
In IKEv2 the DHCP is sourced by the FortiGate and answered to the FortiGate only. FortiGate will assign the DHCP address via Mode config to the end user.
As FortiGate, as the source is always using the same MAC address as an identifier, FortiGate will use option 61, Client Identifier as the exact username.

This implies that it is only possible to assign an IP from the DHCP server by username. If the same username is used simultaneously on two different devices, expect to receive the same IP on both units, as the identifier is the same.

This will be visible in the hexdump of the packet.

Option: (61) Client identifier
Length: 7

Client Identifier can be seen in the DHCP discover, it helps the DHCP server to manage its clients and leases. For example, in the pcap, the username is 'vpnuser1'.

Related articles:

Technical Tip: Configuring DHCP relay over IPSec VPN with overlapping subnets

Defining gateway IP addresses in IPsec with mode-config and DHCP

Technical Tip: IPsec IKEv2 with mode-config and DHCP using the gateway IP address

Technical Tip: How to configure IPsec dialup VPN using ikev2 with DHCP proxy

You are leaving our website