To configure the DHCP server for the IPsec VPN tunnel interface on FortiGate. The users connecting to dial-up IPsec VPN will be assigned an IP address from the defined IP range. 

config system dhcp server
    edit 3
        set dns-service default
        set default-gateway 192.168.1.100
        set netmask 255.255.255.0
        set interface "myvpn"
        config ip-range
            edit 1
                set start-ip 192.168.1.1
                set end-ip 192.168.1.20
            next
        end
        set server-type ipsec
        config reserved-address
            edit 1
                set ip 192.168.1.1
                set mac 00:69:6f:6e:a0:01
            next
        end
    next
end

To resolve the issue of being unable to enable the DHCP server in IPsec phase2 settings, perform the following steps:

1. Navigate to VPN -> IPsec Tunnels -> Phase 1 settings.
2. Disable the Mode Config option.
                                                                                                                                                                    
   config vpn ipsec phase1-interface 
       edit "myvpn"
           set mode-cfg disable
       next
   end
   

3. Navigate to VPN -> IPsec Tunnels -> Phase 2 settings, select the relevant phase2 configuration, and enable the DHCP Server option:

config vpn ipsec phase2-interface
    edit "myvpn"
        set dhcp-ipsec enable

    next
 end

To use the external DHCP server for IPSEC VPN clients, it is required to enable the DHCP relay on the tunnel interface under system interface settings and define the IP address of the DHCP server.

Use the commands below:

     config system interface
         edit "myvpn"
           set vdom "root"
           set dhcp-relay-service enable
           set dhcp-relay-ip "10.20.15.1"    

         end

Related documents:

Technical Tip: DHCP IP address reservation with Dial up IPsec VPN 

IPsec VPN with external DHCP service