FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff

Description

 

This article explains how to configure an SSL VPN with an external DHCP server.

Scope

 

This feature was introduced in FOS 7.0.6 and FOS 7.2.1.

Solution

 

SSL VPN users should get IP addresses from the external DHCP server (DHCP_SRV).

 

Below is the topology used for the demonstration of this feature. 

nprakash_0-1656009676664.png
1) Enable DHCP Proxy and provide the servers IP address.

 

# config system settings

set dhcp-proxy enable

set dhcp-server-ip "10.10.12.2"

end


2) Set the ip-mode as DHCP in the SSL VPN profile. In this example, users are connecting to SSL VPN with a 'full-access' profile. 

 

# config vpn ssl web portal

edit "full-access"

set tunnel-mode enable

set web-mode enable

set ip-mode dhcp

end

 

Note: This setting can be enabled only from CLI.

 

3) Add the VPN user group in the SSL VPN setting and assign the correct VPN profile. 

 

nprakash_3-1656010551468.png

 

4) Configure the IPv4 policy for SSL VPN.


Troubleshooting: 

 

- Logs to be collected are as follows: 

 

#  diagnose debug application sslvpn -1
#  diagnose debug application dhcprelay -1


- Packet capture on FortiGate interface to which the DHCP server is connected. 

 

NoteCurrently, FortiOS does not support giaddr for SSL VPN when it relays the DHCP Discover.  If the DHCP server was connected to port8 in this setup, then the relay agent IP address would reflect port8 ip address in the DHCP Discover.  SSL VPN users will get IP address from the LAN network.


Enabling DHCP proxy globally should not have any impact. FortiGate will only proxy the DHCP traffic on the SSL VPN interface.

Contributors