Description
This article describes DHCP IP address reservation with Dial up IPsec VPN.
Solution
GUI configuration.
1) Dial up VPN can be created with the wizard.
2) Create the DHCP Server.
Go to System -> Network -> Interfaces > Interface created by wizard.
Select Dial up IPsec tunnel interface from interface wizard.
Assign IP address to the interface:
IP: 172.16.1.100
Remote IP: 172.16.1.100
Enable DHCP Server
Address range: 172.16.1.1- 172.16.1.20
Net mask: 255.255.255.0
IP address Reservation
Add a MAC Reservation + Access Control entry:
MAC: <network card MAC address from you are connecting to the VPN>
IP: <IP address to reserve>
Action: Reserve IP
Type: IPsec
3) Disable the mode config on the IPSEC phase1 settings.In latest version, disable the same only via the CLI is necessary.
4) By CLI enable the DHCP over IPSEC in the VPN phase 2.
# config vpn ipsec phase2-interface5) Enable DHCP over IPsec in FortiClient.
edit "FC1
set phase1name "FC1"
set comments "VPN: FC1 (Created by VPN wizard)"
set dhcp-ipsec enable
next
endIf the firewall is configured with split tunnel enabled, enable the split tunnel on the Forticlient as well is necessary and add the routed subnets manually too.CLI configuration.1)To configure DHCP server on the IPSEC client interface.
# config system dhcp server2) Disable 'Mode Config' in the VPN configuration.
edit 3
set dns-service default
set default-gateway 172.16.1.100
set netmask 255.255.255.0
set interface "FC1"
# config ip-range
edit 1
set start-ip 172.16.1.1
set end-ip 172.16.1.20
next
end
set timezone-option default
set server-type ipsec
# config reserved-address
edit 1
set ip 172.16.1.1
set mac 11:22:33:44:55:66
next
end
next
end
# config vpn ipsec phase1-interface3) By CLI enable DHCP over IPsec in the VPN phase 2.
edit FC1
set mode-cfg disable
end
# config vpn ipsec phase2-interfaceVerification.
edit "FC1"
set phase1name "FC1"
set dhcp-ipsec enable
next
end
Post that if the user is connecting via the IPSEC VPN reserved IP address will be released whenever connecting.
Related Articles:
Technical Note: DHCP IP address reservation with Dial up IPsec VPN
Technical Tip: DHCP IP address configuration with Dial up IPsec VPN under VPN tunnel
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.