Configuration parts needed for these settings.
FortiGate FGT 77 configuration.# config system settingsset dhcp-proxy enable
set dhcp-server-ip "172.16.77.88"
end
# config system interface
edit "Dialup_VPN"
set vdom "root"
set ip 192.168.2.1 255.255.255.255 <-----
set allowaccess fabric
set type tunnel
set remote-ip 192.168.2.1 255.255.255.255 <-----
set snmp-index 14
set interface "port1"
next
end
# config vpn ipsec phase1-interface
edit "Dialup_VPN"
set type dynamic
set interface "port1"
set ike-version 2
set local-gw X.X.X.X
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set comments "VPN: Dialup_VPN (Created by VPN wizard)"
set eap enable
set eap-identity send-request
set authusrgrp "Guest-group"
set assign-ip-from dhcp
set dhcp-ra-giaddr 192.168.2.1
set dns-mode auto
set save-password enable
set psksecret ENC
next
end
# config vpn ipsec phase2-interface
edit "Dialup_VPN"
set phase1name "Dialup_VPN"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: Dialup_VPN (Created by VPN wizard)"
next
end
# config firewall policy
edit 6
set name "vpn_Dialup_VPN_remote"
set uuid cdc7655c-dfe0-51eb-15b9-67b3c0956798
set srcintf "Dialup_VPN"
set dstintf "port5"
set srcaddr "Dialup_VPN_range"
set dstaddr "local_subnet_port5"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: Dialup_VPN (Created by VPN wizard)"
set nat enable
next
edit 7
set name "VPN to port1"
set uuid 67bbd71a-dfe1-51eb-8788-b60b496cb240
set srcintf "Dialup_VPN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 4
set name "DHCP-VPN"
set uuid fc27df74-dfe7-51eb-e3ff-8a26af296da7
set srcintf "port2"
set dstintf "Dialup_VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set status disable
set schedule "always"
set service "ALL"
next
edit 5
set uuid 0ea8a052-dfe8-51eb-3ada-17755b0e48fe
set srcintf "Dialup_VPN"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set status disable
set schedule "always"
set service "ALL"
set comments " (Copy of DHCP-VPN) (Reverse of DHCP-VPN)"
next
end
# config router static
edit X
set dst 172.16.77.88 255.255.255.255
set gateway 172.16.0.132
set device "port3"
next
endResults.DHCP logs.77 # proxy request vfid=0 type=0 id=50 client_id=75:73:65:72:31 <----- Unique ID.
Add proxy request type=0 id=50 client_id=75:73:65:72:31
make discover
make dhcp message, code=1
Insert option(53), len(1)
Insert max message len (1458)
Insert option(57), len(2)
Insert client ID
Insert option(61), len(5)
Insert requested options
Insert option(55), len(9)
Insert class ID option
Insert option(60), len(11)
Insert option(82), len(6)
found route to 172.16.77.88 via 172.16.0.100 if=5/port3, mode=auto, ifname=
(xid:ce7dde3e) forwarding dhcp request from 192.168.2.1:67 to 172.16.77.88:67 <----- DHCP proxy.
(xid:ce7dde3e) got a DHCPOFFER
(xid:ce7dde3e) from server 172.16.77.88
make request
make dhcp message, code=3
Insert option(53), len(1)
Insert max message len (1458)
Insert option(57), len(2)
Insert client ID
Insert option(61), len(5)
Insert requested address (1002A8C0)
Insert option(50), len(4)
Insert server id
Insert option(54), len(4)
Insert requested options
Insert option(55), len(9)
Insert class ID option
Insert option(60), len(11)
Insert option(82), len(6)
found route to 172.16.77.88 via 172.16.0.100 if=5/port3, mode=auto, ifname=
(xid:ce7dde3e) forwarding dhcp request from 192.168.2.1:67 to 172.16.77.88:67
(xid:ce7dde3e) got a DHCPACK
(xid:ce7dde3e) from server 172.16.77.88
proxy offer ip:192.168.2.16 IP address offered for VPN client
proxy offer from dhcp server:172.16.77.88 from DHCP proxy server
proxy offer netmask:255.255.255.0
proxy offer expiry:000A8C00
Remove proxy request type=0 id=50 client_id=75:73:65:72:31
Proccessing RTM_NEWLINK event.
netlink message!
dhcprelay: checking if we need to reconfigure
dhcprelay: no changes detected
Sniffer FGT 77.77 # dia sniffer packet any "port 67 or port 68" 4 0 lSniffer Switch 33.
interfaces=[any]
filters=[port 67 or port 68]
2021-07-08 17:59:43.402654 port3 out 192.168.2.1.67 -> 172.16.77.88.67: udp 287
2021-07-08 17:59:43.405742 port3 in 172.16.77.88.67 -> 192.168.2.1.67: udp 300
2021-07-08 17:59:43.421676 port3 out 192.168.2.1.67 -> 172.16.77.88.67: udp 299
2021-07-08 17:59:43.427749 port3 in 172.16.77.88.67 -> 192.168.2.1.67: udp 30033 # diagnose sniffer packet any "port 67 or port 68" 4 0 lServer DHCP scope.
Using Original Sniffing Mode
interfaces=[any]
filters=[port 67 or port 68]
2021-07-08 17:59:21.115942 port4 in 0.0.0.0.68 -> 255.255.255.255.67: udp 297
2021-07-08 17:59:31.966719 port2 in 192.168.2.1.67 -> 172.16.77.88.67: udp 269
2021-07-08 17:59:31.967655 port3 out 192.168.2.1.67 -> 172.16.77.88.67: udp 269
2021-07-08 17:59:37.368668 port4 in 0.0.0.0.68 -> 255.255.255.255.67: udp 297
2021-07-08 17:59:43.258270 port2 in 192.168.2.1.67 -> 172.16.77.88.67: udp 287
2021-07-08 17:59:43.258396 port3 out 192.168.2.1.67 -> 172.16.77.88.67: udp 287
2021-07-08 17:59:43.260204 port3 in 172.16.77.88.67 -> 192.168.2.1.67: udp 300
2021-07-08 17:59:43.260259 port2 out 172.16.77.88.67 -> 192.168.2.1.67: udp 300
2021-07-08 17:59:43.276714 port2 in 192.168.2.1.67 -> 172.16.77.88.67: udp 299
2021-07-08 17:59:43.281967 port3 out 192.168.2.1.67 -> 172.16.77.88.67: udp 299
2021-07-08 17:59:43.282445 port3 in 172.16.77.88.67 -> 192.168.2.1.67: udp 300
2021-07-08 17:59:43.282471 port2 out 172.16.77.88.67 -> 192.168.2.1.67: udp 300
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.