I created a route-based ipsec VPN connection (as per https://cookbook.fortinet...pn-two-fortigates-56/) to allow transparent communication between two networks that are located behind two Different FortiGates.
80E FORTIGATE v6.0.4 50E FORTIGATE v6.0.4
Fortigate 80E (HQ) establish an ipsec connection with 50E (Branch). Fortigate 80E WAN 189.XX.XX.XX Lan 192.168.254.109
HQ internal Network 192.168.254.0/24
DHCP Enabled IP Initial IP End 192.168.254.100 192.168.254.254
config vpn ipsec phase1-interface edit "hq-to-branch" set interface "wan1" set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 "VPN: hq-to-branch" set remote-gw 177.XXX.XXX.XXX set psksecret next end
config vpn ipsec phase2-interface edit "hq-to-branch" set phase1name "hq-to-branch" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable "VPN: hq-to-branch" set src-addr-type name set dst-addr-type name set src-name "hq-to-branch_local" set dst-name "hq-to-branch_remote" next end
--------------------------------//---------------------------------------------
FortiGate 50E (Branch) establish an ipsec connection with 80E (HQ). WAN 177.XXX.XXX.XXX LAN 192.168.100.101
DHCP Disabled
Branch Internal Network 192.168.100.0/24
config vpn ipsec phase1-interface edit "branch-to-hq" set interface "wan1" set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 "VPN: branch-to-hq" set remote-gw 189.XX.XX.XX psksecret set ENC next end
config vpn ipsec phase2-interface edit "branch-to-hq" set phase1name "branch-to-hq" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable "VPN: branch-to-hq" set src-addr-type name set dst-addr-type name set src-name "branch-to-hq_local" set dst-name "branch-to-hq_remote" next end
Users on the HQ's internal network can access resources in the branch's internal network and vice versa. But I want the HQ DHCP to assign ip addresses to the branch network that is in another subnet. Would it be possible?
If the DHCP server (at HQ) is configured with a subnet for the remote network, it will work without issue. The relay agent takes care of the magic in the back end.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson wrote:If the DHCP server (at HQ) is configured with a subnet for the remote network, it will work without issue. The relay agent takes care of the magic in the back end.
In this case, yes. But in the screenshot I see that DHCP on HQ allocates IP addresses from 254.0/24 and the branch office is 101.0/24. It cannot get an IP address from the HQ range at the branch office.
Jirka
In this case, in order for my HQ DHCP to assign ip to Branch, do they have to put Branch in the same HQ network range? In the current IPsec VPN configuration, the two fortigate subnetwork has different, as in the images sent before, have to redo my current VPN configuration and reconfigure created subnets overlapping? according to this tutorial: https://cookbook.fortinet...n-overlapping-subnets/
Cleyton wrote:In this case, in order for my HQ DHCP to assign ip to Branch, do they have to put Branch in the same HQ network range? In the current IPsec VPN configuration, the two fortigate subnetwork has different, as in the images sent before, have to redo my current VPN configuration and reconfigure created subnets overlapping? according to this tutorial: https://cookbook.fortinet...n-overlapping-subnets/
Hi Cleyton,
if you want a branch to have the same address range as the HQ I recommend using VXLAN: https://cookbook.fortinet.com/vxlan-over-ipsec-using-vtep-60/
Jirka
Jirka,
in your previous post, you said that you built DHCP Relay with 13 branches, I found it very interesting, I would like to apply this solution in my scenario, could you give me more details?
I think it will not be a suitable scenario for you, but here it is:
At headquarters we have 2x200E in HA. In DMZ, we have servers (Active Directory with DHCP and DNS, File Servers, etc.). At each branch is 60E, IPsec tunnel to the headquarters (DR 0.0.0.0/0), DHCP Relay enabled on the LAN pointing to the DHCP server at the headquarters and hosting center (two DHCP servers can only be set via CLI).
If it happens that the server on the HQ fails (technical problems, maintenance, etc.), the second DHCP in the hosting center takes over its function. Simple, rock-stable.
Jirka
Create the DHCP range for the remote devices in the HQ system. Use the remote subnet, gateway, mask, DNS, etc as though you were sitting at that remote location. What you put in there will be given out to every device at the remote location. Don't match the remote subnet to the HQ one. This will break way too many things and is (in my opinion) a really crappy idea.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson Are you suggesting that in DHCP from headquarters, I create a scopo or subnet for each branch?
very good Jirka This scenario will be suitable for me yes. Because I have a headquarters with 80E with the servers (Active Direcotry, DHCP, DNS and Database server). I have 6 branch, in each branch I will put 60E with ipsec tunel to be configuring. Initially I just want to have a DHCP run in the head office with DHCP Relay enabled on the branch pointing to the DHCP server from the head office. Analyzed its scenario, I think it would be possible to implement something similar in mine.
Is your branch office on the same headquarters subnet, or are the branch offices on a different subnet? In the DHCP of the headquarters, did you create a DHCP or subnet scopo for each branch? Would it be possible to send a print of the screen, to see how you are setting your scenario?
Yes, Your guess is correct :) - each branch has its own subnet - the corresponding scope is created on DHCP for each branch - see screenshot - IPsec on branches is built in 0.0.0.0/0 - ie. all branch traffic is sent to HQ and managed by a central 200E (but this is not a condition)

Jirka
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.