Fortinet black logo

Cookbook

IPsec VPN with external DHCP service

Copy Link
Copy Doc ID af0e75e9-211f-11ea-9384-00505692583a:189440
Download PDF

IPsec VPN with external DHCP service

You can use an external DHCP server to assign IP addresses to your IPsec VPN clients. This is a common scenario found in enterprises where all DHCP leases need to be managed centrally.

In this example, the DHCP server assigns IP addresses in the range of 172.16.6.100 to 172.16.6.120. The server is attached to internal2 on the FortiGate and has an IP address of 192.168.3.70.

To configure a DHCP server to assign IP addresses to IPsec VPN clients:
  1. Create a user group for remote users:
    1. Go to User & Device > User Definition > Create New.
    2. For User Type, select Local User.

    3. Complete the wizard, and click Submit.
    4. Go to User & Device > User Groups > Create New.
    5. Create a Firewall user group for your remote users.
    6. For Members, add the user you just created.
    7. Click OK.

  2. Add a firewall address for the local network and IPsec VPN client range:
    1. Go to Policy & Objects > Addresses.
    2. Create a new Subnet address for the LAN, including the IP mask and local interface (internal2).
    3. Click OK.

    4. Create a new IP Range address for the IPsec VPN client range (172.16.6.100–172.16.6.120).
    5. Click OK.

  3. Configure the IPsec VPN using a VPN tunnel in the CLI:
    config vpn ipsec phase1-interface
        edit "dhcp_vpn"
            set type dynamic
            set interface "wan1"
            set mode aggressive
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set dhgrp 5
            set xauthtype auto
            set authusrgrp "ipsecvpn"
            set psksecret <xxxxxx>
            set dpd-retryinterval 60
        next
    end
    
    config vpn ipsec phase2-interface
        edit "toclient"
            set phase1name "dhcp_vpn"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set dhgrp 5
            set dhcp-ipsec enable
        next
    end
  4. Configure the IPsec VPN interface:
    1. Go to Network > Interfaces and edit the newly created IPsec VPN interface.
    2. Enable the DHCP Server.
    3. Expand Advanced and change the Mode to Relay.
    4. Enter the external DHCP server IP address (192.168.3.70).
    5. Change the Type to IPsec.
    6. Click OK.

  5. Create a security policy for access to the local network:
    1. Go to Policy & Objects > IPv4 Policy > Create New.
    2. Configure the following parameters:
      1. Set the Incoming Interface to the tunnel interface created in step 3 (dhcp_vpn).
      2. Set the Outgoing Interface (internal2).
      3. Set the Source to the IPsec VPN client range defined in step 2 (ipsecvpn_range).
      4. Set the Destination to the subnet address defined in step 2 (Local LAN).
      5. Set the Service to ALL.
    3. Click OK.

  6. Configure FortiClient:
    1. In FortiClient, go to REMOTE ACCESS > Add a new connection.

    2. Configure the following parameters:
      1. Set the VPN type to IPsec VPN.
      2. Enter a connection name.
      3. Set the Remote Gateway to the FortiGate external IP address.
      4. Set the Authentication Method to Pre-shared key and enter the key below.
      5. Expand the Advanced Settings > VPN Settings and for Options, select DHCP over IPsec.
      6. Click Save.

    3. Select the new connection, and enter the user name and password.
    4. Click Connect.

    Once the connection is established, the external DHCP server assigns the user an IP address and FortiClient displays the connection status, including the IP address, connection duration, and bytes sent and received.

Verification

  1. In FortiOS, go to Monitor > IPsec Monitor and verify that the tunnel Status is Up.
  2. Go to Log & Report > Forward Traffic and verify the Sent / Received column displays the traffic flow through the tunnel.

IPsec VPN with external DHCP service

You can use an external DHCP server to assign IP addresses to your IPsec VPN clients. This is a common scenario found in enterprises where all DHCP leases need to be managed centrally.

In this example, the DHCP server assigns IP addresses in the range of 172.16.6.100 to 172.16.6.120. The server is attached to internal2 on the FortiGate and has an IP address of 192.168.3.70.

To configure a DHCP server to assign IP addresses to IPsec VPN clients:
  1. Create a user group for remote users:
    1. Go to User & Device > User Definition > Create New.
    2. For User Type, select Local User.

    3. Complete the wizard, and click Submit.
    4. Go to User & Device > User Groups > Create New.
    5. Create a Firewall user group for your remote users.
    6. For Members, add the user you just created.
    7. Click OK.

  2. Add a firewall address for the local network and IPsec VPN client range:
    1. Go to Policy & Objects > Addresses.
    2. Create a new Subnet address for the LAN, including the IP mask and local interface (internal2).
    3. Click OK.

    4. Create a new IP Range address for the IPsec VPN client range (172.16.6.100–172.16.6.120).
    5. Click OK.

  3. Configure the IPsec VPN using a VPN tunnel in the CLI:
    config vpn ipsec phase1-interface
        edit "dhcp_vpn"
            set type dynamic
            set interface "wan1"
            set mode aggressive
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set dhgrp 5
            set xauthtype auto
            set authusrgrp "ipsecvpn"
            set psksecret <xxxxxx>
            set dpd-retryinterval 60
        next
    end
    
    config vpn ipsec phase2-interface
        edit "toclient"
            set phase1name "dhcp_vpn"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set dhgrp 5
            set dhcp-ipsec enable
        next
    end
  4. Configure the IPsec VPN interface:
    1. Go to Network > Interfaces and edit the newly created IPsec VPN interface.
    2. Enable the DHCP Server.
    3. Expand Advanced and change the Mode to Relay.
    4. Enter the external DHCP server IP address (192.168.3.70).
    5. Change the Type to IPsec.
    6. Click OK.

  5. Create a security policy for access to the local network:
    1. Go to Policy & Objects > IPv4 Policy > Create New.
    2. Configure the following parameters:
      1. Set the Incoming Interface to the tunnel interface created in step 3 (dhcp_vpn).
      2. Set the Outgoing Interface (internal2).
      3. Set the Source to the IPsec VPN client range defined in step 2 (ipsecvpn_range).
      4. Set the Destination to the subnet address defined in step 2 (Local LAN).
      5. Set the Service to ALL.
    3. Click OK.

  6. Configure FortiClient:
    1. In FortiClient, go to REMOTE ACCESS > Add a new connection.

    2. Configure the following parameters:
      1. Set the VPN type to IPsec VPN.
      2. Enter a connection name.
      3. Set the Remote Gateway to the FortiGate external IP address.
      4. Set the Authentication Method to Pre-shared key and enter the key below.
      5. Expand the Advanced Settings > VPN Settings and for Options, select DHCP over IPsec.
      6. Click Save.

    3. Select the new connection, and enter the user name and password.
    4. Click Connect.

    Once the connection is established, the external DHCP server assigns the user an IP address and FortiClient displays the connection status, including the IP address, connection duration, and bytes sent and received.

Verification

  1. In FortiOS, go to Monitor > IPsec Monitor and verify that the tunnel Status is Up.
  2. Go to Log & Report > Forward Traffic and verify the Sent / Received column displays the traffic flow through the tunnel.