In this scenario, this setup was using FortiGate v7.6.4 with multi-VDOMs enabled and FortiClient v7.4.3. The IPsec VPN clients get the DHCP address from the VDOM link.

Topology:

One VDOM was created called 'DHCP', which will be utilized as the DHCP Server.

Create the IPsec VPN on the Root VDOM:

config vdom

    edit root

        config vpn ipsec phase1-interface

            edit "IPsecDHCP"

                set type dynamic

                set interface "port1" <-- Root VDOM's WAN interface

                set ike-version 2

                set peertype any

                set net-device disable

                set mode-cfg enable

                set proposal aes128-sha256

                set dhgrp 14

                set eap enable

                set eap-identity send-request

                set transport udp

                set assign-ip-from dhcp

                set dns-mode auto

                set save-password enable

            next

end

config vpn ipsec phase2-interface

    edit "IPsecDHCP"

        set phase1name "IPsecDHCP"

        set proposal aes128-sha256

        set dhgrp 14

    next

end

In the Global VDOM, create the VDOM link under Network -> Interface -> Create new -> VDOM link. Then enable DHCP on the VDOM Link interface. The VDOM 'link0' belongs to the Root VDOM, while 'link1' belongs to the DHCP VDOM. 

config global

    config system interface

        edit "link0"

            set vdom "root"

            set ip 10.10.10.1 255.255.255.0

            set allowaccess ping

            set type vdom-link

            set snmp-index 19

            set macaddr 1a:7a:68:5e:00:3f

        next

        edit "link1"

            set vdom "DHCP"

            set ip 10.10.10.2 255.255.255.0

            set allowaccess ping

            set type vdom-link

            set snmp-index 20

            set macaddr 72:b8:7a:6a:00:40

end

config vdom

    edit DHCP

        config system dhcp server

            edit 2

                set dns-service default

                set default-gateway 10.10.10.2

                set netmask 255.255.255.0

                set interface "link1"

                    config ip-range

                        edit 1

                            set start-ip 10.10.10.3

                            set end-ip 10.10.10.254

                        next

                    end

    next

end

On the Root VDOM and in the CLI, enable DHCP proxy and specify the DHCP server IP, which in this example is FortiGate DHCP VDOM at 10.10.10.2 (the VDOM link, 'link1').

config vdom

    edit root

        config system settings

            set dhcp-proxy enable

            set dhcp-server-ip "10.10.10.2" <--- Refers to the VDOM link 'link1' interface IP address.

end

Lastly, on the Root VDOM, create the firewall policies and central SNAT rule required for the full tunnel.

config vdom

    edit root

        config firewall policy

            edit 5

                set name "IPsecVPNoverDHCP"

                set srcintf "IPsecDHCP"

                set dstintf "port10" "port1" <-- Port1 is our WAN and port10 is our LAN.

                set action accept

                set srcaddr "all"

                set dstaddr "all"

                set schedule "always"

                set service "ALL"

                set logtraffic all

                set groups "Guest-group"

            next

end

config firewall central-snat-map

    edit 1

        set srcintf "IPsecDHCP"

        set dstintf "port1" <-- Root VDOM's WAN Interface

        set orig-addr "all"

        set dst-addr "all"

    next

end

On the FortiClient side, ensure the following settings are checked, most importantly IKEv2 and Mode Config:

Results: