- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Configuring the DHCP relay agent in a VPN tunnel i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuring the DHCP relay agent in a VPN tunnel ipsec Site to Site between two networks
I created a route-based ipsec VPN connection (as per https://cookbook.fortinet...pn-two-fortigates-56/) to allow transparent communication between two networks that are located behind two Different FortiGates.
80E FORTIGATE v6.0.4 50E FORTIGATE v6.0.4
Fortigate 80E (HQ) establish an ipsec connection with 50E (Branch). Fortigate 80E WAN 189.XX.XX.XX Lan 192.168.254.109
HQ internal Network 192.168.254.0/24
DHCP Enabled IP Initial IP End 192.168.254.100 192.168.254.254
config vpn ipsec phase1-interface edit "hq-to-branch" set interface "wan1" set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 "VPN: hq-to-branch" set remote-gw 177.XXX.XXX.XXX set psksecret next end
config vpn ipsec phase2-interface edit "hq-to-branch" set phase1name "hq-to-branch" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable "VPN: hq-to-branch" set src-addr-type name set dst-addr-type name set src-name "hq-to-branch_local" set dst-name "hq-to-branch_remote" next end
--------------------------------//---------------------------------------------
FortiGate 50E (Branch) establish an ipsec connection with 80E (HQ). WAN 177.XXX.XXX.XXX LAN 192.168.100.101
DHCP Disabled
Branch Internal Network 192.168.100.0/24
config vpn ipsec phase1-interface edit "branch-to-hq" set interface "wan1" set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 "VPN: branch-to-hq" set remote-gw 189.XX.XX.XX psksecret set ENC next end
config vpn ipsec phase2-interface edit "branch-to-hq" set phase1name "branch-to-hq" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable "VPN: branch-to-hq" set src-addr-type name set dst-addr-type name set src-name "branch-to-hq_local" set dst-name "branch-to-hq_remote" next end
Users on the HQ's internal network can access resources in the branch's internal network and vice versa. But I want the HQ DHCP to assign ip addresses to the branch network that is in another subnet. Would it be possible?
Labels:
- Labels:
-
6.0
22 REPLIES 22
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the DHCP server (at HQ) is configured with a subnet for the remote network, it will work without issue. The relay agent takes care of the magic in the back end.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rwpatterson wrote:If the DHCP server (at HQ) is configured with a subnet for the remote network, it will work without issue. The relay agent takes care of the magic in the back end.
In this case, yes. But in the screenshot I see that DHCP on HQ allocates IP addresses from 254.0/24 and the branch office is 101.0/24. It cannot get an IP address from the HQ range at the branch office.
Jirka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case, in order for my HQ DHCP to assign ip to Branch, do they have to put Branch in the same HQ network range? In the current IPsec VPN configuration, the two fortigate subnetwork has different, as in the images sent before, have to redo my current VPN configuration and reconfigure created subnets overlapping? according to this tutorial: https://cookbook.fortinet...n-overlapping-subnets/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cleyton wrote:In this case, in order for my HQ DHCP to assign ip to Branch, do they have to put Branch in the same HQ network range? In the current IPsec VPN configuration, the two fortigate subnetwork has different, as in the images sent before, have to redo my current VPN configuration and reconfigure created subnets overlapping? according to this tutorial: https://cookbook.fortinet...n-overlapping-subnets/
Hi Cleyton,
if you want a branch to have the same address range as the HQ I recommend using VXLAN: https://cookbook.fortinet.com/vxlan-over-ipsec-using-vtep-60/
Jirka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jirka,
in your previous post, you said that you built DHCP Relay with 13 branches, I found it very interesting, I would like to apply this solution in my scenario, could you give me more details?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it will not be a suitable scenario for you, but here it is:
At headquarters we have 2x200E in HA. In DMZ, we have servers (Active Directory with DHCP and DNS, File Servers, etc.). At each branch is 60E, IPsec tunnel to the headquarters (DR 0.0.0.0/0), DHCP Relay enabled on the LAN pointing to the DHCP server at the headquarters and hosting center (two DHCP servers can only be set via CLI).
If it happens that the server on the HQ fails (technical problems, maintenance, etc.), the second DHCP in the hosting center takes over its function. Simple, rock-stable.
Jirka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create the DHCP range for the remote devices in the HQ system. Use the remote subnet, gateway, mask, DNS, etc as though you were sitting at that remote location. What you put in there will be given out to every device at the remote location. Don't match the remote subnet to the HQ one. This will break way too many things and is (in my opinion) a really crappy idea.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rwpatterson Are you suggesting that in DHCP from headquarters, I create a scopo or subnet for each branch?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
very good Jirka This scenario will be suitable for me yes. Because I have a headquarters with 80E with the servers (Active Direcotry, DHCP, DNS and Database server). I have 6 branch, in each branch I will put 60E with ipsec tunel to be configuring. Initially I just want to have a DHCP run in the head office with DHCP Relay enabled on the branch pointing to the DHCP server from the head office. Analyzed its scenario, I think it would be possible to implement something similar in mine.
Is your branch office on the same headquarters subnet, or are the branch offices on a different subnet? In the DHCP of the headquarters, did you create a DHCP or subnet scopo for each branch? Would it be possible to send a print of the screen, to see how you are setting your scenario?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Your guess is correct :) - each branch has its own subnet - the corresponding scope is created on DHCP for each branch - see screenshot - IPsec on branches is built in 0.0.0.0/0 - ie. all branch traffic is sent to HQ and managed by a central 200E (but this is not a condition)
Jirka
Related Posts
- SSL VPN on Out of bound 106 Views
- WiFi e LAN authentication using certificate... 202 Views
- Problems with WAF profile 119 Views
- Configuring FortiMail to Filter Incoming Emails... 124 Views
- Multiple Fortigate/VDOM SAML MFA Auth (for... 114 Views
Labels
-
FortiGate
6,639 -
FortiClient
1,323 -
5.2
801 -
5.4
639 -
FortiManager
573 -
FortiAnalyzer
418 -
6.0
416 -
5.6
362 -
FortiSwitch
340 -
FortiAP
338 -
FortiClient EMS
270 -
6.2
251 -
FortiMail
250 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
154 -
6.4
128 -
FortiNAC
109 -
FortiGuard
105 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
72 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
29 -
Firewall policy
28 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
Logging
12 -
LDAP
11 -
VDOM
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.