Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

IPSec VPN dhcp problem

Hi all, I' ve setup a fortigate 60A to use dial-up client vpn through VIP address. The setting is like this: OS Version: 3.0 WAN IP: 111.222.333.444 Fortigate 60A Internal IP: 131.107.22.1 INTERNAL SUBNET: 131.107.22.0/32 VIP SUBNET Assign to VPN: 10.10.200.0 I can connect to the VPN tunnel, but cannot get the IP address. The log on Forticlient show an error [status=negotiate_error msg=" Failed to acquire an IP address" ] I' m using the fortigate to be DHCP server, and added the DHCP Server record already. Here is my questions: 1. How can I solve this problem? 2. Actually i' m not sure about how to add the DHCP Server. According to the manual, i added a record of type" IPSec" , ip range 10.10.200.2-250 on WAN port. But i don' t sure about the default gateway. should i use 131.107.22.1 or another one?
9 REPLIES 9
Not applicable

on what interface you applied the DHCP server?
Not applicable

i added the DHCP server on WAN port
Not applicable

hi dorayaki,
I' m using the fortigate to be DHCP server, and added the DHCP Server record already.
you cant do that , you need to configure the fortinet as an IPSEC DHCP relay , and you need a DHCP server in your internal network. the fortinet cant be the dhcp server in an IPSEC vpn . second thing to do , is to add a rule to allow IPSEC clients to get ip adress from you dhcp server before the main ipsec rule , like this :
 config firewall policy
     edit 22
         set srcintf " internal" 
         set dstintf " wan1" 
             set srcaddr " DHCP_SERVER" 
             set dstaddr " all" 
         set action ipsec
         set schedule " always" 
             set service " DHCP" 
         set inbound enable
         set outbound enable
         set vpntunnel " YOUR_VPN_NAME" 
     next
 end
 
i hope it helps .
abelio

you cant do that , you need to configure the fortinet as an IPSEC DHCP relay , and you need a DHCP server in your internal network. the fortinet cant be the dhcp server in an IPSEC vpn .
That' s not true; IPSec DHCP server is available for Policy or Tunnel Mode IPSec VPNs; (it is not for route/interface mode ones nevertheless)

regards




/ Abel

regards / Abel
Not applicable

I' ll use my internal DHCP server instead, but still confuse why is it necessary. I prefer use my fortigate to do that...... Anyway, thank you for you reply.
Not applicable

You should assign DHCP server on your WAN interface System>DHCP> choose your WAN interface and then choose " Servers" , don' t choose " Relay" . then " edit" and thick " enable" and choose Type > " IPSEC" and then you add an IP range of your IPSEC' s address. Don' t forget to click " Advanced" in order to put your internal DNS. This DHCP configuration is working on my FG. Let me know if this solve your problem.
Not applicable

I also do this before, but i don' t know what should i enter in the " Default Gateway" For example, my internal subnet is 192.168.0.0, and the subnet assigned to VPN clients is 192.168.1.0. The internal IP of the fortigate is 192.168.0.1. Since it doesn' t have an IP on range 192.168.1.x, can i use 192.168.0.1 to be the " Default Gateway" on the DHCP server setting? Or use another method like static route?
Not applicable

Just use IP in subnet 192.168.1.0 to assign your default GW and don' t forget to specified source and destination address in our forewall policy. And put this policy on top other policies.
Not applicable

However, i don' t have any ip address on subnet 192.168.1.0 because it is a subnet for VPN only. If i want to use the fortigate as the DHCP server and it' s own private is 192.168.0.1, how can i use an ip on subnet 192.168.1.0 to be the default gateway?
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors