I'm trying to support a Dialup IPsec clients which requires Mode Config to be enabled, and to use an external DHCP server to provide the dynamic IP address.
I've enabled Mode Config and DHCP under the phase1-interface. I've also enabled dhcp-proxy and configured a dhcp-server-ip under 'config system settings' as per the Fortinet documentation.
What I'm seeing is the FG is relaying the DHCP discover packet to my DHCP server, however the source IP address of the packet is incorrect. The IP I'm seeing is the FG interface IP from the network where the DHCP is located. What needs to happen is the FG needs to relay and use a source IP address from the VPN address pool/range or the IP on of the VPN interface, so that the DHCP server can know which IP range to use for this client.
I've tried setting a static IP on the VPN interface but didn't work either. Is there a way to control which source IP address the FG uses when it relays the DHCP discover (when Mode Config with DHCP is used)?
The DHCP is the latest Windows Server and I can see it does support relay agent ID policies, so that could work.
However another issue I'm seeing now is that when the Fortigate relays the DHCP discover it's putting it's own interface MAC address as the 'Client MAC address' in the DHCP packet, instead of the VPN client. The idea behind this was to setup static MAC to IP reservations on the DHCP server for VPN clients so that certain clients would always get the same IP address.
In IKEv2 the DHCP is sourced by the FortiGate and answered to the FortiGate only. FortiGate will assign the DHCP address via Mode config to the end user. As FortiGate as source is using always the same MAC address as identifier, the FortiGate will use the option 61, Client Identifier as the exact username.
This implies, that this is only possible to assign an IP from the DHCP server by username.
If there are two times the same username on two different devices, expect to receive the same IP on both units, as the identifier is the same.
This will on be visible in the hexdump of the packet.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.