In this recipe you’ll use an external DHCP server to assign IP addresses to your IPsec VPN clients, this scenario is commonly found on enterprises where all DHCP leases need to be centrally managed.
The DHCP server assigns IP addresses in the range of 172.16.6.100 to 172.16.6.120. The server is attached to port 4 of the FortiGate and has an IP address of 192.168.3.70.
1. Creating a user group for remote users
Go to User & Device > User > User Definition.
Create a new Local User with the User Creation Wizard.
Proceed through each step of the wizard, carefully entering the appropriate information.
Go to User & Device > User > User Groups.
Create a user group for remote users and add the user you created.
2. Adding a firewall address for the local network and IPsec VPN client range
Go to Policy & Objects > Objects > Addresses.
Add a firewall address for the Local LAN, including the subnet and local interface.
Add a firewall address for the IPsec VPN client range.
3. Configuring the IPsec VPN using a Custom VPN Tunnel
Go to VPN > IPSec > Tunnels > Create New.
Name the VPN connection* and select Custom VPN Tunnel (No Template) and click Next.
Configure the following parameters:
Set the Remote Gateway to Dialup User
Set the Interface to the internet-facing interface.
Enter a Pre-shared Key
Set the Mode to Aggressive
Set the XAUTH Type to Auto Server
Set the XAUTH User Group to the User Group created on step 1 and click OK to apply the configuration
Use the CLI to enable DHCP-IPsec inside the VPN Phase 2 settings.
config vpn ipsec phase2-interface
edit "dhcp_vpn"
set dhcp-ipsec enable
next
end
4. Configuring the IPsec VPN Interface
Go to System > Network > Interfaces.
Edit the newly created IPsec VPN Interface
Set the IP to the same subnet that will be leased to VPN clients. This is the value that the DHCP Administrator must use for the DHCP Option 003 (Router). Set the Remote IP to the same value.
Enable DHCP Server, then expand Advanced and change the mode to Relay. Enter the external DHCP server IP address and change the Type to IPsec.
5. Creating a security policy for access to the Local LAN Network
Go to Policy & Objects > Policy > IPv4.
Create a security policy allowing the VPN IPsec client IP address range to access the Local LAN network.
Set Incoming Interface to the tunnel interface and set Source Address to the VPN IPsec client range defined on step 2.
Set Outgoing Interface to port4 and Destination Address to Local LAN.
Set Service to ALL
6. Configuring FortiClient
Open FortiClient, go to Remote Access and Add a new connection.
Provide a Connection Name and set the Type to IPsec VPN.
Set Remote Gateway to the FortiGate external IP address.
Set Authentication Method to Pre-Shared Key and enter the key below.
Expand Advanced Settings and VPN Settings
Select DHCP over IPsec
Select the new connection, enter the username and password, and click Connect.
7. Results
Once the connection is established, the external DHCP server assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and bytes sent and received.
On the FortiGate unit, go to VPN > Monitor > IPsec Monitor and verify that the tunnel Status is Up.
Go to Log & Report > Traffic Log > Forward Traffic to view the traffic.
Verify that the Sent/Received column displays traffic successfully flowing through the tunnel.