Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff

Created on ‎06-23-2022 12:21 PM Edited on ‎10-20-2024 11:13 PM By Community Manager

Article Id 215644

Technical Tip: SSL VPN with external DHCP Server

Description

 

This article explains how to configure an SSL VPN with an external DHCP server. This article assumes that the reader is generally familiar with configuring an SSL VPN on the FortiGate and will be updating an existing configuration to use an external DHCP server instead of traditional IP address pools.

Scope

 

FortiGate v7.0.6, v7.2.1 and later, v7.2.4 (dhcp-ra-giaddr support added).

Solution

 

Some administrators may prefer to have SSL VPN users obtain IP addresses from an external DHCP server, rather than use the traditional method of address pools/ranges on the FortiGate itself. This might be done to centralize control over address allocation (rather than have multiple devices handling addressing), or there is a need to integrate DHCP with other functions in the network (i.e. DNS registration, IPAM, etc.)

 

Below is the topology used for the demonstration of this feature in this article, as well as the steps required to configure the feature itself:

nprakash_0-1656009676664.png

 

 

  1. Enable the DHCP Proxy functionality and specify the DHCP Server IP address that the FortiGate should relay requests to (IPv6 options can be left blank if not needed):

config system settings

set dhcp-proxy enable

set dhcp-server-ip "10.10.12.2"
set dhcp6-server-ip "2001:db8::10:10:12:2"

end

 

In cases where there are multiple DHCP servers, append the server IP as follows:

 

config system settings

set dhcp-proxy enable

set dhcp-server-ip 10.10.12.2 10.10.22.1

end

 

Note:

The dhcp-proxy option is used to facilitate DHCP proxy functionality for remote-access VPNs on the FortiGate (i.e. dial-up IPsec and SSL VPN) that have DHCP-based address allocation configured.

 

  1. Create/modify an SSL VPN Portal and set ip-mode to dhcp (this setting can only be enabled from the CLI). In this example, users are connecting to the 'DHCP_Tunnel' portal.

config vpn ssl web portal

edit "DHCP_Tunnel"

set ip-mode dhcp

end

 

  1. Under VPN -> SSL VPN Settings, add a new Authentication/Portal Mapping entry and specify the VPN-related User Group in the SSL VPN settings along with the new DHCP-based SSL VPN Portal created.

 

Untitled.gif

 

     4. Configure appropriate Firewall Policies for the SSL-VPN interface to grant access for users. A basic example is shown here:

 

FW_Policy_Example_01.png

 

Special Note:

Specifying the DHCP Scope assigned to SSL VPN clients using DHCP GIADDR.

 

Starting in v7.2.4, support was added to the SSL VPN for the DHCP GIADDR option. This option allows administrators to specify which DHCP scope should be used when allocating addresses to their SSL VPN users, whereas previously SSL VPN users could only receive IP addresses in the same subnet as the FortiGate's local DHCP server-facing interface (i.e. 10.10.12.0/24 on the FortiGate's port2 in the example topology).

 

The following are the steps to enable the DHCP GIADDR option for your DHCP-based SSL VPN users:

 

  1. Modify the SSL VPN portal in the CLI and add the following commands (IPv6 options can be left blank if not needed):

config vpn ssl web portal

edit <name>

set dhcp-ra-giaddr <gateway_IP_address>

set dhcp6-ra-linkaddr <IPv6_link_address>

next

end

 

Note that dhcp-ra-giaddr should be set to an IP address that falls within the DHCP scope that you wish to assign to the SSL VPN users.

 

  1. Due to the nature of how the DHCP GIADDR option works, the DHCP server will send all DHCP response traffic back to the address specified by dhcp-ra-giaddr (even though the FortiGate will have used a different source-IP to start with).

 

To ensure that FortiGate accepts this incoming traffic as local traffic, It is necessary to either:

  1. Create a loopback interface and assign it the IP address used for dhcp-ra-giaddr, or
  2. Assign that address as a Secondary IP to one of the FortiGate's physical interfaces. Ensure that any routers in between the DHCP server and the FortiGate (acting as the DHCP relay) have routes back to the FortiGate for the new SSL VPN DHCP subnet.

No additional firewall policies need to be created for this step.

Once this process is completed, SSL VPN users will be able to receive DHCP leases from a separate scope/subnet that matches the gateway address specified by dhcp-ra-giaddr.

 

Troubleshooting: 

When troubleshooting issues, collect the following logs:

 

diagnose debug application sslvpn -1
diagnose debug application dhcprelay -1
diagnose debug enable


Additionally, perform a packet capture on the FortiGate interface to which the DHCP server is connected. 

 
28236
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.