Description
This article explains how to configure an SSL VPN with an external DHCP server.
Scope
This feature was introduced in FOS 7.0.6 and FOS 7.2.1.
Solution
SSL VPN users should get IP addresses from the external DHCP server (DHCP_SRV).
Below is the topology used for the demonstration of this feature.
1) Enable DHCP Proxy and provide the servers IP address.
# config system settings
set dhcp-proxy enable
set dhcp-server-ip "10.10.12.2"
end
2) Set the ip-mode as DHCP in the SSL VPN profile. In this example, users are connecting to SSL VPN with a 'full-access' profile.
# config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set web-mode enable
set ip-mode dhcp
end
Note: This setting can be enabled only from CLI.
3) Add the VPN user group in the SSL VPN setting and assign the correct VPN profile.
4) Configure the IPv4 policy for SSL VPN.
Troubleshooting:
- Logs to be collected are as follows:
# diagnose debug application sslvpn -1
# diagnose debug application dhcprelay -1
- Packet capture on FortiGate interface to which the DHCP server is connected.
Note: Currently, FortiOS does not support giaddr for SSL VPN when it relays the DHCP Discover. If the DHCP server was connected to port8 in this setup, then the relay agent IP address would reflect port8 ip address in the DHCP Discover. SSL VPN users will get IP address from the LAN network.
Enabling DHCP proxy globally should not have any impact. FortiGate will only proxy the DHCP traffic on the SSL VPN interface.