This article describes the solution and troubleshooting steps when IPSec user is unable to get IP address assignment from external DHCP Server.
|Scope||FortiOS, IPSec, external DHCP Server.|
1) It is possible to configure FortiGate to relay IPSec DHCP requests for IPSec users:
2) In the above scenario, there is the following IP scheme designed:
- 10.120.0.0/20 -> WAN.
- 10.251.0.0/20 -> DMZ (where the DHCP Server sits).
- 10.253.0.0/20 -> LAN.
- 10.10.10.0/24 -> IPSec users IP.
3) While trying to connect, the user is able to establish a Phase1 connection and FortiGate is acting as the DHCP relay agent to send the DHCP request to the external DHCP server:
4) Packet capture from the DHCP server shows that there are only DHCP Discover packets received, and not being responded to:
5) This is because the DHCP server would only assign an IP address if the relay agent were from the same subnet.
In this case, the IPSec interface is configured with 169.254.3.1 as the interface IP, and there is not respective pool in DHCP Server.
6) Since it is in the design to assign 10.10.10.0/24 IP to the IPSec, it is necessary to ensure that the subnet pool is configured in the DHCP server, and FortiGate IPSec tunnel is configured with an IP within the range:
7) Once the respective is configured, the DHCP Discover message would be responded to with the DHCP offer:
8) It is now possible to see IPSec user is now assigned an IP within the range and access to the LAN network is possible:
9) Is is also possible toverify that the DHCP Server assigns the IP address:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.