IPsec VPN with external DHCP service

In this recipe you’ll use an external DHCP server to assign IP addresses to your IPsec VPN clients, this scenario is commonly found on enterprises where all DHCP leases need to be centrally managed.

The DHCP server assigns IP addresses in the range of 172.16.6.100 to 172.16.6.120. The server is attached to port 4 of the FortiGate and has an IP address of 192.168.3.70.

1. Creating a user group for remote users

Go to User & Device > User > User Definition.

Create a new Local User with the User Creation Wizard.

Proceed through each step of the wizard, carefully entering the appropriate information.

 

Go to User & Device > User > User Groups.

Create a user group for remote users and add the user you created.

 

2. Adding a firewall address for the local network and IPsec VPN client range

Go to Policy & Objects > Objects > Addresses.

Add a firewall address for the Local LAN, including the subnet and local interface.

 

Add a firewall address for the IPsec VPN client range.

2b-address-ipsecvpn-range

3. Configuring the IPsec VPN using a Custom VPN Tunnel

Go to VPN > IPSec > Tunnels > Create New.

Name the VPN connection and select Custom VPN Tunnel (No Template) and click Next.

3a-vpn-custom

Configure the following parameters:

Set the Remote Gateway to Dialup User

Set the Interface to the internet-facing interface.

Enter a Pre-shared Key

Set the Mode to Aggressive

Set the XAUTH Type to Auto Server

Set the XAUTH User Group to the User Group created on step 1 and click OK to apply the configuration

3b-vpn-custom-parameters
Use the CLI to enable DHCP-IPsec inside the VPN Phase 2 settings.
config vpn ipsec phase2-interface
    edit "dhcp_vpn"
        set dhcp-ipsec enable
    next
end

4. Configuring the IPsec VPN Interface

Go to System > Network > Interfaces.

Edit the newly created IPsec VPN Interface

Set the IP to the same subnet that will be leased to VPN clients. This is the value that the DHCP Administrator must use for the DHCP Option 003 (Router). Set the Remote IP to the same value.

Enable DHCP Server, then expand Advanced and change the mode to Relay. Enter the external DHCP server IP address and change the Type to IPsec.

 

4a-interface-dhcp

5. Creating a security policy for access to the Local LAN Network

Go to Policy & Objects > Policy > IPv4.

Create a security policy allowing the VPN IPsec client IP address range to access the Local LAN network.

Set Incoming Interface to the tunnel interface and set Source Address to the VPN IPsec client range defined on step 2.

Set Outgoing Interface to port4 and Destination Address to Local LAN.

Set Service to ALL

5a-policy

6. Configuring FortiClient

Open FortiClient, go to Remote Access and Add a new connection.

 

Provide a Connection Name and set the Type to IPsec VPN.

Set Remote Gateway to the FortiGate external IP address.

Set Authentication Method to Pre-Shared Key and enter the key below.

 

Expand Advanced Settings and VPN Settings

Select DHCP over IPsec

6c-forticlient-dhcp

Select the new connection, enter the username and password, and click Connect.

 

7. Results

Once the connection is established, the external DHCP server assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and
bytes sent and received.

 

On the FortiGate unit, go to VPN > Monitor > IPsec Monitor and verify that the tunnel Status is Up.

 

Go to Log & Report > Traffic Log > Forward Traffic to view the traffic.

Verify that the Sent/Received column displays traffic successfully flowing through the tunnel.

 

For further reading, check out IPsec VPN in the web-based manager in the FortiOS 5.2 Handbook.

Michel Barbosa

Michel Barbosa

Systems Engineer at Fortinet
Michel Barbosa works in Brazil as part of the Systems Engineering team. He has a Bachelor’s degree from Universidade Mackenzie in Electronic Engineering and his fair share of security certifications earned during more than 10 years killing packets with fire(walls).
Michel Barbosa

Latest posts by Michel Barbosa (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
The tunnel name may not have any spaces in it.
The pre-shared key is a credential for the VPN and should differ from the user’s password.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.