FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vdralio
Staff
Staff
Description
This article describes how to configure IPsec with mode-config and DHCP using the gateway IP.

For an IPsec tunnel, the gateway IP address (giaddr) can be defined on a DHCP relay agent.
Both IPv4 and IPv6 addresses are supported. An IPsec tunnel with mode‑config and DHCP relay cannot specify a DHCP subnet range to the DHCP server.

The DHCP server assigns an IP address based on the giaddr set on the IPSec phase1 interface and sends an offer to this subnet.

The DHCP server must have a route to the specified subnet giaddr.


Solution


Configuration parts needed for these settings.

FortiGate FGT 77 configuration.
config system settings
    set dhcp-proxy enable
    set dhcp-server-ip "172.16.77.88"
end

# config system interface
    edit "Dialup_VPN"
        set vdom "root"
        set ip 192.168.2.1 255.255.255.255        <-----
        set allowaccess fabric
        set type tunnel
        set remote-ip 192.168.2.1 255.255.255.255 <-----
        set snmp-index 14
        set interface "port1"
    next
end

# config vpn ipsec phase1-interface
    edit "Dialup_VPN"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set local-gw X.X.X.X
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: Dialup_VPN (Created by VPN wizard)"
        set eap enable
        set eap-identity send-request
        set authusrgrp "Guest-group"
        set assign-ip-from dhcp
        set dhcp-ra-giaddr 192.168.2.1 
        set dns-mode auto
        set save-password enable
        set psksecret ENC
    next
end
# config vpn ipsec phase2-interface
    edit "Dialup_VPN"
        set phase1name "Dialup_VPN"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: Dialup_VPN (Created by VPN wizard)"
    next
end
# config firewall policy
    edit 6
        set name "vpn_Dialup_VPN_remote"
        set uuid cdc7655c-dfe0-51eb-15b9-67b3c0956798
        set srcintf "Dialup_VPN"
        set dstintf "port5"
        set srcaddr "Dialup_VPN_range"
        set dstaddr "local_subnet_port5"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: Dialup_VPN (Created by VPN wizard)"
        set nat enable
    next
    edit 7
        set name "VPN to port1"
        set uuid 67bbd71a-dfe1-51eb-8788-b60b496cb240
        set srcintf "Dialup_VPN"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 4
        set name "DHCP-VPN"
        set uuid fc27df74-dfe7-51eb-e3ff-8a26af296da7
        set srcintf "port2"
        set dstintf "Dialup_VPN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set status disable
        set schedule "always"
        set service "ALL"
    next
    edit 5
        set uuid 0ea8a052-dfe8-51eb-3ada-17755b0e48fe
        set srcintf "Dialup_VPN"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set status disable
        set schedule "always"
        set service "ALL"
        set comments " (Copy of DHCP-VPN) (Reverse of DHCP-VPN)"
    next
end
# config router static
    edit X
        set dst 172.16.77.88 255.255.255.255
        set gateway 172.16.0.132
        set device "port3"
    next
end
Results.





DHCP logs.
77 # proxy request vfid=0 type=0 id=50 client_id=75:73:65:72:31                <----- Unique ID.
Add proxy request type=0 id=50 client_id=75:73:65:72:31
make discover
make dhcp message, code=1
Insert option(53), len(1)
Insert max message len (1458)
Insert option(57), len(2)
Insert client ID
Insert option(61), len(5)
Insert requested options
Insert option(55), len(9)
Insert class ID option
Insert option(60), len(11)
Insert option(82), len(6)
found route to 172.16.77.88 via 172.16.0.100 if=5/port3, mode=auto, ifname=
(xid:ce7dde3e) forwarding dhcp request from 192.168.2.1:67 to 172.16.77.88:67  <----- DHCP proxy.
(xid:ce7dde3e) got a DHCPOFFER
(xid:ce7dde3e) from server 172.16.77.88
make request
make dhcp message, code=3
Insert option(53), len(1)
Insert max message len (1458)
Insert option(57), len(2)
Insert client ID
Insert option(61), len(5)
Insert requested address (1002A8C0)
Insert option(50), len(4)
Insert server id
Insert option(54), len(4)
Insert requested options
Insert option(55), len(9)
Insert class ID option
Insert option(60), len(11)
Insert option(82), len(6)
found route to 172.16.77.88 via 172.16.0.100 if=5/port3, mode=auto, ifname=
(xid:ce7dde3e) forwarding dhcp request from 192.168.2.1:67 to 172.16.77.88:67
(xid:ce7dde3e) got a DHCPACK
(xid:ce7dde3e) from server 172.16.77.88
proxy offer ip:192.168.2.16   IP address offered for VPN client
proxy offer from dhcp server:172.16.77.88  from DHCP proxy server
proxy offer netmask:255.255.255.0
proxy offer expiry:000A8C00
Remove proxy request type=0 id=50 client_id=75:73:65:72:31
Proccessing RTM_NEWLINK event.
netlink message!
dhcprelay: checking if we need to reconfigure
dhcprelay: no changes detected

Sniffer FGT 77.
77 # dia sniffer packet any "port 67 or port 68" 4 0 l
interfaces=[any]
filters=[port 67 or port 68]
2021-07-08 17:59:43.402654 port3 out 192.168.2.1.67 -> 172.16.77.88.67: udp 287
2021-07-08 17:59:43.405742 port3 in 172.16.77.88.67 -> 192.168.2.1.67: udp 300
2021-07-08 17:59:43.421676 port3 out 192.168.2.1.67 -> 172.16.77.88.67: udp 299
2021-07-08 17:59:43.427749 port3 in 172.16.77.88.67 -> 192.168.2.1.67: udp 300
Sniffer Switch 33.
33 # diagnose sniffer packet any "port 67 or port 68" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 67 or port 68]
2021-07-08 17:59:21.115942 port4 in 0.0.0.0.68 -> 255.255.255.255.67: udp 297
2021-07-08 17:59:31.966719 port2 in 192.168.2.1.67 -> 172.16.77.88.67: udp 269
2021-07-08 17:59:31.967655 port3 out 192.168.2.1.67 -> 172.16.77.88.67: udp 269
2021-07-08 17:59:37.368668 port4 in 0.0.0.0.68 -> 255.255.255.255.67: udp 297
2021-07-08 17:59:43.258270 port2 in 192.168.2.1.67 -> 172.16.77.88.67: udp 287
2021-07-08 17:59:43.258396 port3 out 192.168.2.1.67 -> 172.16.77.88.67: udp 287
2021-07-08 17:59:43.260204 port3 in 172.16.77.88.67 -> 192.168.2.1.67: udp 300
2021-07-08 17:59:43.260259 port2 out 172.16.77.88.67 -> 192.168.2.1.67: udp 300
2021-07-08 17:59:43.276714 port2 in 192.168.2.1.67 -> 172.16.77.88.67: udp 299
2021-07-08 17:59:43.281967 port3 out 192.168.2.1.67 -> 172.16.77.88.67: udp 299
2021-07-08 17:59:43.282445 port3 in 172.16.77.88.67 -> 192.168.2.1.67: udp 300
2021-07-08 17:59:43.282471 port2 out 172.16.77.88.67 -> 192.168.2.1.67: udp 300
Server DHCP scope.



Contributors