Description
This article explains how to configure an SSL VPN with an external DHCP server. This article assumes that the reader is generally familiar with configuring an SSL VPN on the FortiGate and will be updating an existing configuration to use an external DHCP server instead of traditional IP address pools.
Scope
FortiGate v7.0.6, v7.2.1 and later, v7.2.4 (dhcp-ra-giaddr support added).
Solution
Note: SSL VPN tunnel mode support differs between models and is removed for all models in FortiOS v7.6.3 and later, see Technical Tip: SSL VPN support on FortiGate models. It is recommended to migrate existing SSL VPN deployments to IPsec dialup remote access. See Migration from SSL VPN tunnel mode to IPsec VPN.
Some administrators may prefer to have SSL VPN users obtain IP addresses from an external DHCP server, rather than use the traditional method of address pools/ranges on the FortiGate itself. This might be done to centralize control over address allocation (rather than have multiple devices handling addressing), or there is a need to integrate DHCP with other functions in the network (i.e. DNS registration, IPAM, etc.)
The following is the topology used for the demonstration of this feature in this article, as well as the steps required to configure the feature itself:
- Enable the DHCP Proxy functionality and specify the DHCP Server IP address that the FortiGate should relay requests to (IPv6 options can be left blank if not needed):
config system settings
set dhcp-proxy enable
set dhcp-server-ip "10.10.12.2"
set dhcp6-server-ip "2001:db8::10:10:12:2"
end
In cases where there are multiple DHCP servers, append the server IP as follows:
config system settings
set dhcp-proxy enable
set dhcp-server-ip 10.10.12.2 10.10.22.1
end
Note:
The dhcp-proxy option is used to facilitate DHCP proxy functionality for remote-access VPNs on the FortiGate (i.e. dial-up IPsec and SSL VPN) that have DHCP-based address allocation configured.
- Create/modify an SSL VPN Portal and set ip-mode to dhcp (this setting can only be enabled from the CLI, and if tunnel-mode is enabled in the portal). In this example, users are connecting to the 'DHCP_Tunnel' portal.
config vpn ssl web portal
edit "DHCP_Tunnel"
set tunnel-mode enable
set ip-mode dhcp
end
- Under VPN -> SSL VPN Settings, add a new Authentication/Portal Mapping entry and specify the VPN-related User Group in the SSL VPN settings along with the new DHCP-based SSL VPN Portal created.
4. Configure appropriate Firewall Policies for the SSL-VPN interface to grant access for users. A basic example is shown here:
Special Note:
Specifying the DHCP Scope assigned to SSL VPN clients using DHCP GIADDR.
Starting in v7.2.4, support was added to the SSL VPN for the DHCP GIADDR option. This option allows administrators to specify which DHCP scope should be used when allocating addresses to their SSL VPN users, whereas previously SSL VPN users could only receive IP addresses in the same subnet as the FortiGate's local DHCP server-facing interface (i.e. 10.10.12.0/24 on the FortiGate's port2 in the example topology).
The following are the steps to enable the DHCP GIADDR option for DHCP-based SSL VPN users:
- Modify the SSL VPN portal in the CLI and add the following commands (IPv6 options can be left blank if not needed):
config vpn ssl web portal
edit <name>
set dhcp-ra-giaddr <gateway_IP_address>
set dhcp6-ra-linkaddr <IPv6_link_address>
next
end
Note that dhcp-ra-giaddr should be set to an IP address that falls within the DHCP scope to assign to the SSL VPN users.
- Due to the nature of how the DHCP GIADDR option works, the DHCP server will send all DHCP response traffic back to the address specified by dhcp-ra-giaddr (even though the FortiGate will have used a different source-IP to start with).
To ensure that FortiGate accepts this incoming traffic as local traffic, It is necessary to either:
- Create a loopback interface and assign it the IP address used for dhcp-ra-giaddr, or
- Assign that address as a Secondary IP to one of the FortiGate's physical interfaces. Ensure that any routers in between the DHCP server and the FortiGate (acting as the DHCP relay) have routes back to the FortiGate for the new SSL VPN DHCP subnet.
No additional firewall policies need to be created for this step.
Once this process is completed, SSL VPN users will be able to receive DHCP leases from a separate scope/subnet that matches the gateway address specified by dhcp-ra-giaddr.
SSL VPN does not support DNS server assignment over DHCP. If internal DNS servers should be assigned to connecting VPN clients, configure them on the SSL VPN web portal, as demonstrated in the article Technical Tip: Configuring DNS servers per SSL VPN Portal.
Troubleshooting:
When troubleshooting issues, collect the following logs:
diagnose debug application sslvpn -1
diagnose debug application dhcprelay -1
diagnose debug enable
Additionally, perform a packet capture on the FortiGate interface to which the DHCP server is connected.
diagnose sniffer packet <interface_name> 'port 67 or 68' 6 100 l
Related article:
Technical Tip: IPsec IKEv2 with mode-config and DHCP using the gateway IP address
