FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the issue of being unable to enable the DHCP server in IPsec phase2 settings on a FortiGate and addresses how to resolve this issue, which involves disabling the mode configuration in phase1 settings.
Scope
FortiGate.
Solution
To configure the DHCP server for the IPsec VPN tunnel interface on FortiGate. The users connecting to dial-up IPsec VPN will be assigned an IP address from the defined IP range.
config system dhcp server edit 3 set dns-service default set default-gateway 192.168.1.100 set netmask 255.255.255.0 set interface "myvpn" config ip-range edit 1 set start-ip 192.168.1.1 set end-ip 192.168.1.20 next end set server-type ipsec config reserved-address edit 1 set ip 192.168.1.1 set mac 00:69:6f:6e:a0:01 next end next end
To resolve the issue of being unable to enable the DHCP server in IPsec phase2 settings, perform the following steps:
Navigate to VPN -> IPsec Tunnels -> Phase 1 settings.
Disable theMode Configoption.
config vpn ipsec phase1-interface edit "myvpn" set mode-cfg disable next end
Navigate to VPN -> IPsec Tunnels -> Phase 2 settings, select the relevant phase2 configuration, and enable theDHCP Serveroption:
config vpn ipsec phase2-interface edit "myvpn" set dhcp-ipsec enable
