FortiGate, configured as a DHCP server operating on VPN IPsec dial-up, does not forward the offer message on the DHCP process when it should forward the offer with an IP address to the client. However, despite restarting the FortiGate or DHCP process, the remote client is not receiving an IP address.

This behavior was already reported internally on FortiGate report ID: 0985006.

The workaround is to perform the following change:

config vpn ipsec phase1-interface

    edit "vpn_name"

        set type dynamic

        set net-device (enable | disable) <----- Select 'Disable'.

     next

end

The tunnel is kept in this state (Without going into data), then automatically disconnected. To confirm it, run the following debug commands and share them with TAC:

diagnose debug console timstamp enable

diagnose debug application dhcps -1

diagnose debug application ike -1

diagnose debug enable

2024-05-28 15:22:39 [debug] Processing RTM_NEWLINK event (dev=vpn-test_0).

2024-05-28 15:22:39 [debug] Received netlink message

2024-05-28 15:22:39 [debug] start dumping leases

2024-05-28 15:22:39 [debug] Backing up ipmacs

2024-05-28 15:22:39 [debug] finished dumping  dynamic ipmacs

2024-05-28 15:22:39 [debug] Backing up leasefile

2024-05-28 15:22:39 [debug] finished dumping all leases

Another way to solve this issue is to upgrade to v7.0.15.