Using proxy-ARP for VPN dial-in FortiClients

• All Fortigates
• v2.80MR5 and later

A remote VPN user can now be configured to use an IP address within the same subnet that he is attempting to connect to. This requires that the main FortiGate unit perform proxy-ARP responses on behalf of these remote dial-in clients. In order for this proxy-ARP functionality to work, the IP address on the FortiClient must be obtained via DHCP-over-IPSec. For information on how to configure DHCP-over-IPsec between a FortiClient and a FortiGate unit, see the Fortinet Knowledge Base articles DHCP over IPSec using FortiClient and Dialup-client IPSec VPN Example Technical Note.

The following FortiGate debug commands can be used to confirm that the VPN connection has been enabled with proxy-ARP:

Fortigate # diag deb appl dhcprelay 255
Fortigate # diag deb appl ike 2
<snip>
Comes 172.31.225.15:500->172.31.224.101:500, ifindex=3, external, vf_id=0....
Exchange Mode = 32, Message id = 0x6B62C904, Len = 52
Received Payloads= HASH
Replay protection enable.
Set sa life soft seconds=1750.
Set sa life hard seconds=1800.
dport = 500.adding dialup. peer:10.103.1.15, me:10.103.1.0/255.255.255.0
Add DHCP-IPSEC proxy_arp:10.103.1.15 local_gwy=172.31.224.101
Add dialup tunnel.tun=p2-1, remote_gwy=172.31.225.15
11.796447 LLC printer havn't been added to sniffer. ether_type=38
Initializing sa OK.
Responder:quick mode done !
<snip>

Fortigate # diag sys dev list root
list virtual firewall root info:
ip4 route_cache: table_size=131072 max_depth=2 used=5 total=8
arp: table_size=4096 max_depth=1 used=4 total=4
proxy_arp: table_size=256 max_depth=1 used=1 total=1
arp6: table_size=4096 max_depth=1 used=2 total=2
proxy_arp6: table_size=256 max_depth=0 used=0 total=0
local table version=0000001f main table version=0000000d
vf=root dev=dmz index=2
vf=root dev=external index=3
vf=root dev=internal index=4
vf=root dev=root index=5