FortiGate allows an external DHCP server to assign IP addresses to the IPsec VPN clients. This is typically found in enterprises where all DHCP leases must be managed centrally.

yoda-kvm20 (P1) # show
    config vpn ipsec phase1-interface
        edit "P1"
            set type dynamic
            set interface "port1"
            set mode aggressive
            set peertype any
            set net-device enable
            set proposal aes256-sha256 aes256-sha384
            set dpd on-idle
            set comments "IPSec Dialup Phase1"
            set dhgrp 20
            set xauthtype auto
            set authusrgrp "VPNUsers"
            set psksecret ENC ****

            set dpd-retryinterval 10
        next
    end

yoda-kvm20 (P2) # show
    config vpn ipsec phase2-interface
        edit "P2"
            set phase1name "P1"
            set proposal aes256-sha256 aes256-sha384
            set dhgrp 20
            set comments "IPSec Dialup Phase2"
            set dhcp-ipsec enable  <----- Enable DHCP assignment in phase2-interface.
        next
    end

On the interface facing the DHCP server, DHCP relay is enabled. It also needs a source IP address to identify the IP address range to be assigned from the DHCP server:

edit "lo-FC-RA-P1"
    set vdom "root"
    set ip 10.253.0.1 255.255.255.255
    set type loopback
    set snmp-index 15
next

edit "FC-RA-P1"
    set vdom "root"
    set dhcp-relay-interface-select-method specify
    set dhcp-relay-interface "port2"
    set dhcp-relay-service enable
    set type tunnel
    set snmp-index 16
    set dhcp-relay-ip "10.167.1.172"     <-----------
    set dhcp-relay-source-ip 10.253.0.1  <-----------
    set dhcp-relay-circuit-id "FC-RA-P1"
    set dhcp-relay-type ipsec
    set interface "port1"
next

The 'dhcp-relay-source-ip' can be a loopback interface if the tunnel interface is not available.

The DHCP server, for example, the Windows DHCP server, will reply from the IP pool, according to the loopback IP address range.