Troubleshooting Tip: DHCP-Proxy on FortiGate with external DHCP server not forwarding DHCP option 119

kumarh · ‎11-15-2024

Description

This article describes how to address an issue where DHCP-Proxy on FortiGate with an external DHCP server does not forward DHCP option 119, affecting remote IPsec clients using DHCP requests to obtain domain search lists. This issue impacts users who use FortiClient on Windows and macOS with FortiGate as the remote VPN server and an external DHCP server.

Scope

FortiGate.

Solution

Mode config is not compatible with 'DHCP over IPSec', when mode-config is used, IKE is responsible for the DHCP.

DHCP discover is created by IKE and not on the DHCP discovery from the end user.

If mode-config is being used, FortiGate may generate DHCP requests via the IKE daemon, which does not include all options (like option 119). To include option 119, switch to DHCP over IPSec instead of mode-config, particularly with an external DHCP server.

In the IPsec Phase 1 settings, ensure that mode-config is unset, as it bypasses DHCP communication:

config vpn ipsec phase1-interface
    edit "<tunnel_name>"
        unset mode-cfg
    next
end

If the external DHCP server is not directly reachable by IPsec clients, it is possible to configure the DHCP relay on the FortiGate. The DHCP relay forwards DHCP requests from the clients to the external server.

config system dhcp relay
set interface "<>"
set server-ip <> # Replace with the external DHCP server's IP

Additionally, for configuring DHCP Option 119 on the FortiGate interface, refer to Technical Tip: How to configure DHCP option 119 (multiple search domains) for different domains.

Refer to the following documentation on gateway IP addresses and additional mode-config details to ensure compatibility with DHCP options:

Support defining gateway IP addresses in IPsec with mode-config and DHCP

Troubleshooting Tip: DHCP-Proxy on FortiGate with external DHCP server not forwarding DHCP option 119

You are leaving our website