Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
serge_FTNT
Staff
Staff

Created on ‎01-20-2017 04:02 AM Edited on ‎06-15-2023 08:25 AM By Moderator

Article Id 194649

Technical Note: IPsec VPN client with DHCP-relay for external DHCP service destined to VPN client

Description

 
This article provides the commands to configure DHCP relay, IPsec tunnel, and firewall policies.


Solution
shenry_FD40142_tn_FD40142-1.jpg

IPsec VPN client settings:
shenry_FD40142_tn_FD40142-2.jpg


CLI configuration:
 
config system interface
    edit "ClientTunnel"
          VPN Client setting’s
        set vdom "root"
        set dhcp-relay-service enable
        set ip 10.200.68.196 255.255.255.255  <-- an IP address within the DHCP network.
        set type tunnel
        set remote-ip 10.200.68.196 
        set snmp-index 15
        set dhcp-relay-ip "10.68.1.117"
        set dhcp-relay-type ipsec
        set interface "port2"
    next
end

config firewall address
    edit "dhcpforIPsecClient_range"
        set uuid f1904504-aff6-51e6-413f-199821d9d1b2
        set type iprange
        set comment "VPN: ClientTunnel (Created by VPN wizard)"
        set start-ip 10.200.68.233
        set end-ip 10.200.68.234
next

config vpn ipsec phase1-interface
    edit "ClientTunnel"
        set type dynamic
        set interface "port2"
        set mode aggressive
        set comments "VPN: ClientTunnel (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set psksecret ENC N98HrU+/Tr0q+Gq6H
    next
end
 
Note: 'set mode-cfg' needs to be disabled in the phase-1 configuration to enable the dhcp-ipsec option in the phase-2 configuration.

config vpn ipsec phase2-interface
    edit "ClientTunnel"
        set phase1name "ClientTunnel"
        set comments "VPN: ClientTunnel (Created by VPN wizard)"
        set dhcp-ipsec enable
    next
end

config firewall policy
    edit 1
        set uuid 5ef30dd2-ada1-51e6-3860-47cc8b9be9da
        set srcintf "ClientTunnel"             <-- Name of the tunnel interface.
        set dstintf "port5"
        set srcaddr "dhcpforIPsecCLient_range" <-- Address range provided by server.
        set dstaddr "vlan68" "                 <-- Address range of internal network.
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: ClientTunnel (Created by VPN wizard)"
    next
    edit 2
        set uuid f9d26db4-adb2-51e6-b169-40acf1cd2950
        set srcintf "port5"
        set dstintf "ClientTunnel"
        set srcaddr "vlan68"
        set dstaddr "dhcpforIPsecCLient_range"
        set action accept
        set schedule "always"
        set service "ALL_ICMP"
        set logtraffic all
       set comments "allow Private network to initiate traffic towards FortiClients"
    next
    edit "vlan68"
        set uuid 1026f39c-ad99-51e6-6035-19f79428c9cf
        set associated-interface "port5"
        set subnet 10.68.0.0 255.255.240.0
   next

edit "port5"

set vdom "root"

set dhcp-relay-service enable

set ip 192.168.1.x 255.255.255.0

set allowaccess ping https ssh http telnet fgfm

set type physical

set snmp-index 4

set dhcp-relay-ip "192.168.1.y"

set dhcp-relay-type ipsec   <-- Must be changed from regular to IPsec.

next

end

Labels:
1939
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.