Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Defining gateway IP addresses in IPsec with mode-config and DHCP

For an IPsec tunnel, the gateway IP address (giaddr) can be defined on a DHCP relay agent. Both IPv4 and IPv6 addresses are supported. An IPsec tunnel with mode‑config and DHCP relay cannot specify a DHCP subnet range to the DHCP server.

The DHCP server assigns an IP address based on the giaddr set on the IPSec phase1 interface and sends an offer to this subnet. The DHCP server must have a route to the specified subnet giaddr.

Example

To define the gateway IP address on the DHCP relay server:
  1. Configure the VPN IPsec phase1 interface:
    config vpn ipsec phase1-interface
        edit "ipv4"
            set type dynamic
            set interface "port2"
            set peertype any
            set net-device disable
            set mode-cfg enable
            set proposal des-md5 des-sha1
            set dpd on-idle
            set dhgrp 5
            set assign-ip-from dhcp
            set dhcp-ra-giaddr 11.11.11.1
            set psksecret ***********
            set dpd-retryinterval 60
        next
    end

    IPv6 could also be configured:

    config vpn ipsec phase1-interface
        edit "ipv6"
            set type dynamic
            set interface "port2"
            set peertype any
            set net-device disable
            set mode-cfg enable
            set proposal des-md5 des-sha1
            set dpd on-idle
            set dhgrp 5
            set assign-ip-from dhcp
            set dhcp6-ra-linkaddr 2000:11:11:11::1
            set psksecret **********
            set dpd-retryinterval 60
        next
    end
  2. Enable DHCP proxy and configure the DHCP server IP address:
    config system settings
        set dhcp-proxy enable
        set dhcp-server-ip "10.1.1.1"
    end
  3. Repeat the above steps for FGT_C and subnet B.

Defining gateway IP addresses in IPsec with mode-config and DHCP

For an IPsec tunnel, the gateway IP address (giaddr) can be defined on a DHCP relay agent. Both IPv4 and IPv6 addresses are supported. An IPsec tunnel with mode‑config and DHCP relay cannot specify a DHCP subnet range to the DHCP server.

The DHCP server assigns an IP address based on the giaddr set on the IPSec phase1 interface and sends an offer to this subnet. The DHCP server must have a route to the specified subnet giaddr.

Example

To define the gateway IP address on the DHCP relay server:
  1. Configure the VPN IPsec phase1 interface:
    config vpn ipsec phase1-interface
        edit "ipv4"
            set type dynamic
            set interface "port2"
            set peertype any
            set net-device disable
            set mode-cfg enable
            set proposal des-md5 des-sha1
            set dpd on-idle
            set dhgrp 5
            set assign-ip-from dhcp
            set dhcp-ra-giaddr 11.11.11.1
            set psksecret ***********
            set dpd-retryinterval 60
        next
    end

    IPv6 could also be configured:

    config vpn ipsec phase1-interface
        edit "ipv6"
            set type dynamic
            set interface "port2"
            set peertype any
            set net-device disable
            set mode-cfg enable
            set proposal des-md5 des-sha1
            set dpd on-idle
            set dhgrp 5
            set assign-ip-from dhcp
            set dhcp6-ra-linkaddr 2000:11:11:11::1
            set psksecret **********
            set dpd-retryinterval 60
        next
    end
  2. Enable DHCP proxy and configure the DHCP server IP address:
    config system settings
        set dhcp-proxy enable
        set dhcp-server-ip "10.1.1.1"
    end
  3. Repeat the above steps for FGT_C and subnet B.