Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vbandha
Staff
Staff

Created on ‎09-08-2024 11:53 PM

Article Id 339792

Troubleshooting Tip: Assign Static IP to Dialup IPSec VPN user

Description This article describes how to assign static IP to dialup IP Sec VPN user
Scope FortiGate v6.4+.
Solution

In the Dialup IP Sec VPN, there is no option available for IP reservation or to assign static IP. To achieve this, create a separate tunnel and configure one IP in the range.


To start, go to VPN -> IP Sec Tunnels, select Create New -> IP Sec tunnel, enter the name of Tunnel and choose Custom:

 

1.JPG

 

Select 'Next' after that.


Under remote gateway, choose Dialup user. For interface, choose the WAN interface where the connection request will be received.
Enable the option for Mode Config. Under Client Address Range, configure the static IP to assign to the user. 10.137.1.1 – 10.137.1.2 has been choosen and subnet mask 255.255.255.252.
Choose two IPs: the first one will be the client IP and the second will be the VPN gateway IP.
For the DNS server, it is possible manually assign a DNS server or Select ‘Use system DNS in mode config’ to use system DNS in FortiGate:

 

2.JPG

 

Under Authentication, assign a preshared key and save it to later provide to the user:

If there are multiple Dialup IP Sec VPN tunnels on this interface, there needs to be a distinguishing ID set for each so the traffic coming for each tunnel can be sent to the correct tunnel. For this, use Peer Options. Under Accept Types, choose Specific Peer ID
Under Peer ID, assign an ID that will distinguish the users of this tunnel.
Here, ID ‘static’:

 

3.JPG

 

Choose the other settings as per requirement and select 'OK' at the bottom. Create a policy for this Tunnel to the internal resources or internet as per requirement.


Here is an example of one policy:
Go to Policy & Objects-> Firewall Policy and select 'Create New':

 

4.JPG

 

Choose the source Interface as the tunnel interface and the destination interface to provide access. Configure other settings as per requirement and click Ok.

On the end-user side. Configure FortiClientsettings as per the settings on the IP Sec tunnel. Make sure to add the local ID as the same ID that was configured under the Peer ID on the tunnel.

 

In this case, ‘static’:

 

5.JPG

 

After configuring that, connect to IP Sec VPN from FortiClient and the static IP will be assigned:

 

6.JPG

 

7.JPG
Labels:
2080
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.