IPsec VPN with external DHCP service

You can use an external DHCP server to assign IP addresses to your IPsec VPN clients. This is a common scenario found in enterprises where all DHCP leases need to be managed centrally.

In this example, the DHCP server assigns IP addresses in the range of to The server is attached to internal2 on the FortiGate and has an IP address of

To configure a DHCP server to assign IP addresses to IPsec VPN clients:
  1. Create a user group for remote users:
    1. Go to User & Authentication > User Definition and click Create New.
    2. For User Type, select Local User.
    3. Complete the wizard, and click Submit.
    4. Go to User & Authentication > User Groups and click Create New..
    5. Create a Firewall user group for your remote users.
    6. For Members, add the user you just created.
    7. Click OK.
  2. Add a firewall address for the local network and IPsec VPN client range:
    1. Go to Policy & Objects > Addresses.
    2. Create a new Subnet address for the LAN, including the IP mask and local interface (internal2).
    3. Click OK.
    4. Create a new IP Range address for the IPsec VPN client range (–
    5. Click OK.
  3. Configure the IPsec VPN using a VPN tunnel in the CLI:
    config vpn ipsec phase1-interface
        edit "dhcp_vpn"
            set type dynamic
            set interface "wan1"
            set mode aggressive
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set dhgrp 5
            set xauthtype auto
            set authusrgrp "ipsecvpn"
            set psksecret ********