Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- DHCP over ipsec not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 07-03-2009 04:54 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DHCP over ipsec not working
Hello.
I' m a newbie on fortigate (used to ZyWall).
I have a Fortigate 80C (os 4 build 5025), connected to the DMZ of my ZyWall.
The Zywall routes all incoming vpn calls to the Fortigate.
The wan1 interface has ip 10.27.2.3/255.255.255.0
The internal interface has ip 10.27.1.3/255.255.255.0
I created a dhcp server on wan1 interface.
config system dhcp server
edit " company_dhcp_clients"
set dns-server1 10.27.1.50
set domain " company.se"
set interface " wan1"
set netmask 255.255.255.0
set server-type ipsec
set end-ip 10.27.3.50
set ipsec-lease-hold 0
set start-ip 10.27.3.2
next
end
I created 3 addresses in the firewall
edit " Internal net"
set associated-interface " internal"
set subnet 10.27.1.0 255.255.255.0
next
edit " wan1"
set associated-interface " wan1"
set subnet 10.27.2.3 255.255.255.255
next
edit " company_remote_pc_dhcp_range"
set associated-interface " wan1"
set subnet 10.27.3.0 255.255.255.0
next
I authenticate the users through a radius server
config user radius
edit " jabba"
set secret ENC <some funny password>
set server " 10.27.1.53"
next
end
that server is then a member of a group
config user group
edit " FSAE_Guest_Users"
set group-type directory-service
next
edit " iVpn"
set member " jabba"
next
end
ipsec P1.
config vpn ipsec phase1
edit " company_employee"
set type dynamic
set interface " wan1"
set dpd disable
set proposal des-md5
set xauthtype pap
set mode aggressive
set psksecret ENC <another funny password>
set authusrgrp " iVpn"
next
end
ipsec P2.
config vpn ipsec phase2
edit " company_remote_pc"
set phase1name " company_employee"
set proposal des-md5
set dhcp-ipsec enable
next
end
I made 2 policies.
One to handle dhcp requests (id 2) and one to handle the traffic (id 3).
config firewall policy
edit 3
set srcintf " internal"
set dstintf " wan1"
set srcaddr " Internal net"
set dstaddr " iNovacia_remote_pc_dhcp_range"
set action ipsec
set schedule " always"
set service " ANY"
set inbound enable
set outbound enable
set natinbound enable
set vpntunnel " iNovacia_employee"
next
edit 2
set srcintf " wan1"
set dstintf " wan1"
set srcaddr " wan1"
set dstaddr " all"
set action ipsec
set schedule " always"
set service " DHCP"
set inbound enable
set outbound enable
set vpntunnel " iNovacia_employee"
next
end
Default router for internal network is the Zywall, there is a static route for 10.27.3.0/255.255.255.0 -> 10.27.1.3
Now to the problems.
1: To be able to have the vpn tunnel not going down, I cannot use DPD. Anyone knows why ?
2: And this is the biggest problem.
On the FortiClient (4.0.2.57), if I specify " Acquire virtual IP address" and in the config I hardcode one address from the subnet I created in the dhcp (10.27.3.0) the tunnel comes up and everything works.
But if I configure " DHCP over IPSec" , the client comes up, get one address from the dhcp server and then closes the tunnel.
Can anyone shed some light on what I am missing for the DHCP over IPSec to work ?
Thanks,
Micke
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
192.168.3just to clarify...I meant the 10.27.3.x net (" the .3 net" in my last post).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable
Created on 07-03-2009 10:33 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why do you assign from the .3 net on an interface in the .2 net? I just cannot see any good reason to do so.I wanted to be able to have multiple dial-up clients using different VIP pools so I could then easily configure policies to allow different access to different servers and ports on my internal network. I' ll test your suggestions next week and come back with the result. Thanks for the advice.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the way to do that is to define different phase 1' s and to select via the PSK. Users with different priviledges will have different tunnels.
If you use interface VPN this will be very easy and self-documenting.
Ede
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable
Created on 07-05-2009 11:01 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
True, but using VIP' s gives you easier control if ip address conflicts should happen.
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,697 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
209 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.