This article explains how to configure an SSL VPN with an external DHCP server. This article assumes that the reader is generally familiar with configuring an SSL VPN on the FortiGate and will be updating an existing configuration to use an external DHCP server instead of traditional IP address pools.
FortiOS 7.0.6, FortiOS 7.2.1 and later
FortiOS 7.2.4 (dhcp-ra-giaddr support added)
Some administrators may prefer to have SSL VPN users obtain IP addresses from an external DHCP server, rather than use the traditional method of address pools/ranges on the FortiGate itself. This might be done to centralize control over address allocation (rather than have multiple devices handling addressing), or there is a need to integrate DHCP with other functions in the network (i.e. DNS registration, IPAM, etc.)
Below is the topology used for the demonstration of this feature in this article, as well as the steps required to configure the feature itself:
1. Enable the DHCP Proxy functionality and specify the DHCP Server IP address that the FortiGate should relay requests to (IPv6 options can be left blank if not needed):
config system settings
set dhcp-proxy enable
set dhcp-server-ip "10.10.12.2"
set dhcp6-server-ip "2001:db8::10:10:12:2"
Note: the dhcp-proxy option is used to facilitate DHCP proxy functionality for remote-access VPNs on the FortiGate (i.e. dialup IPsec and SSL VPN) that have DHCP-based address allocation configured.
2. Create/modify an SSL VPN Portal and set ip-mode to dhcp (this setting can only be enabled from the CLI). In this example, users are connecting to the 'DHCP_Tunnel' portal.
config vpn ssl web portal
set ip-mode dhcp
3. Under VPN -> SSL VPN Settings, add a new Authentication/Portal Mapping entry and specify the VPN-related User Group in the SSL VPN settings along with the new DHCP-based SSL VPN Portal created.
4. Configure appropriate Firewall Policies for the SSL VPN interface to grant access for your users. A basic example is shown here:
Special Note: Specifying the DHCP Scope assigned to SSL VPN clients using DHCP GIADDR.
Starting in FortiOS 7.2.4, support was added to the SSL VPN for the DHCP GIADDR option. This option allows administrators to specify which DHCP scope should be used when allocating addresses to their SSL VPN users, whereas previously SSL VPN users could only receive IP addresses in the same subnet as the FortiGate's local DHCP server-facing interface (i.e. 10.10.12.0/24 on the FortiGate's port2 in the example topology).
The following are the steps to enable the DHCP GIADDR option for your DHCP-based SSL VPN users:
config vpn ssl web portal
set dhcp-ra-giaddr <gateway_IP_address>
set dhcp6-ra-linkaddr <IPv6_link_address>
Note that dhcp-ra-giaddr should be set to an IP address that falls within the DHCP scope that you wish to assign to the SSL VPN users.
2) Due to the nature of how the DHCP GIADDR option works, the DHCP server will send all DHCP response traffic back to the address specified by dhcp-ra-giaddr (even though the FortiGate will have used a different source-IP to start with).
To ensure that the FortiGate accepts this incoming traffic as local traffic, It is necessary either
No additional firewall policies are required to be created for this step.
Once this process is completed, SSL VPN users will be able to receive DHCP leases from a separate scope/subnet that matches the gateway address specified by dhcp-ra-giaddr.
When troubleshooting issues, collect the following logs:
diagnose debug application sslvpn -1
diagnose debug application dhcprelay -1
diagnose debug enable
Additionally, perform a packet capture on the FortiGate interface to which the DHCP server is connected.