Description
This article describes how to assign the client IP address for ikev2 dialup clients using DHCP proxy.
Solution
- Enable the global option DHCP proxy and add the DHCP server IP:
config system settings
set dhcp-proxy enable
set dhcp-server-ip "10.220.0.107"
end - Create User group:
show user group
edit "vpn-usergroup"
set member "vpn-user"
next
end - Setup VPN:
config vpn ipsec phase1-interface
edit "VPN-v2"
set type dynamic
set interface "port1"
set ike-version 2
set local-gw 10.109.21.41
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set eap enable
set eap-identity send-request
set wizard-type dialup-forticlient
set authusrgrp "vpn-usergroup"
set assign-ip-from dhcp
set dns-mode auto
set ipv4-split-include "VPN-v2_split"
set save-password enable
set psksecret ENC s0I3cSRvAeypQSHwIXZEOoj8Sln1xCG+CbFU/oC75IVGn+nbAdZTUIamZcqhohoFuCcvLHF2KT3htvcEOugblCZnPs/XnewPHTN66Y27Rw0dNH7zphxj1ZIhIEH05OVG6qHOZe9Jo2ZOnuOEWOKs0HuKbGMyYJ4bC0xd7NXG9Tn7bwOk1wYg==
next
end
config vpn ipsec phase2-interface
edit "VPN-v2"
set phase1name "VPN-v2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end - Create policies for Internal LAN:
config firewall policy
edit 1
set name "vpn_VPN-v2_remote_0"
set srcintf "VPN-v2"
set dstintf "port1"
set srcaddr "all"
set dstaddr ""VPN-v2_split"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end - Configuration on FortiClient is basically as per phase1 and phase2 settings on the FortiGate.
Make sure to not use the 'DHCP over IPsec' option.
This is a legacy option, only for use with DHCP relaying with IKEv1.
Use the 'Mode config option as defined in the phase1-interface settings (mode-cfg enable).
Verification.
ike 0:9f67930076a4be90/0000000000000000:29: type=DH_GROUP, val=MODP1536.
ike 0:9f67930076a4be90/0000000000000000:29: lifetime=86400
ike 0:9f67930076a4be90/0000000000000000:29: SA proposal chosen, matched gateway VPN-v2
ike 0:VPN-v2: created connection: 0xdad9c10 3 10.109.21.41->10.109.20.72:500.
...
ike 0:VPN-v2:29: send EAP message to FNBAM
ike 0:VPN-v2: EAP 709192309 pending
ike 0:VPN-v2:29 EAP 709192309 result 0
ike 0:VPN-v2: EAP succeeded for user "vpn-user" group "vpn-usergroup" 2FA=no
ike 0:VPN-v2:29: responder preparing EAP pass through message
ike 0:VPN-v2:29: enc 00000008031F00040706050403020107
ike 0:VPN-v2:29: out 9F67930076A4BE90238A05BA09963DD42E202320000000040000005030000034CC263336D17DFE233E0A911999A526E491702666F67AC46FE7141F0D69BB9B1B1F471A98303C89A95EC7BC1DFD03CBF4
ike 0:VPN-v2:29: sent IKE msg (AUTH_RESPONSE): 10.109.21.41:500->10.109.20.72:500, len=80, vrf=0, id=9f67930076a4be90/238a05ba09963dd4:00000004
ike 0: comes 10.109.20.72:500->10.109.21.41:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=AUTH id=9f67930076a4be90/238a05ba09963dd4:00000005 len=112
ike 0: in 9F67930076A4BE90238A05BA09963DD42E2023080000000500000070270000549C9158580F47E9BA156CDFF346807A23F1F367E52035FE7C9CE1867607EFC5C5F66BC4FBC2E1E97E4A79EEC8EBB38010858E0EF2160F64552E8F2BD47DEEF2F13ADAEA5EB6AA4E3BA19B0B14B271CDE2
ike 0:VPN-v2:29: dec 9F67930076A4BE90238A05BA09963DD42E2023080000000500000048270000040000002802000000B35F86693CACBE23BAFE13DBC7DF0E94BA01B37846F2FB84AE8F70C7EB57A820
ike 0:VPN-v2:29: responder received AUTH msg
ike 0:VPN-v2:29: auth verify done
ike 0:VPN-v2:29: responder AUTH continuation
ike 0:VPN-v2:29: authentication succeeded
ike 0:VPN-v2:29: responder creating new child
ike 0:VPN-v2:29: mode-cfg type 7 request 16:'46435438303033313936343233343539'
ike 0:VPN-v2:29: mode-cfg received APPLICATION_VERSION 'FCT8003196423459'
ike 0:VPN-v2:29: mode-cfg type 1 request 0:''
ike 0:VPN-v2:29: IPv4 address requested, using DHCP
ike 0:VPN-v2:29: sending DHCP request
ike 0:39 response IP '10.220.0.128/255.255.255.0'
ike 0:VPN-v2:29: DHCP assigned address 10.220.0.128/255.255.255.0
ike 0:VPN-v2:29: DNS 10.220.0.107In IKEv1 the DHCP is sourced by the client and relayed by the FortiGate with a configured DHCP relay interface. Reference:
ike 0:9f67930076a4be90/0000000000000000:29: lifetime=86400
ike 0:9f67930076a4be90/0000000000000000:29: SA proposal chosen, matched gateway VPN-v2
ike 0:VPN-v2: created connection: 0xdad9c10 3 10.109.21.41->10.109.20.72:500.
...
ike 0:VPN-v2:29: send EAP message to FNBAM
ike 0:VPN-v2: EAP 709192309 pending
ike 0:VPN-v2:29 EAP 709192309 result 0
ike 0:VPN-v2: EAP succeeded for user "vpn-user" group "vpn-usergroup" 2FA=no
ike 0:VPN-v2:29: responder preparing EAP pass through message
ike 0:VPN-v2:29: enc 00000008031F00040706050403020107
ike 0:VPN-v2:29: out 9F67930076A4BE90238A05BA09963DD42E202320000000040000005030000034CC263336D17DFE233E0A911999A526E491702666F67AC46FE7141F0D69BB9B1B1F471A98303C89A95EC7BC1DFD03CBF4
ike 0:VPN-v2:29: sent IKE msg (AUTH_RESPONSE): 10.109.21.41:500->10.109.20.72:500, len=80, vrf=0, id=9f67930076a4be90/238a05ba09963dd4:00000004
ike 0: comes 10.109.20.72:500->10.109.21.41:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=AUTH id=9f67930076a4be90/238a05ba09963dd4:00000005 len=112
ike 0: in 9F67930076A4BE90238A05BA09963DD42E2023080000000500000070270000549C9158580F47E9BA156CDFF346807A23F1F367E52035FE7C9CE1867607EFC5C5F66BC4FBC2E1E97E4A79EEC8EBB38010858E0EF2160F64552E8F2BD47DEEF2F13ADAEA5EB6AA4E3BA19B0B14B271CDE2
ike 0:VPN-v2:29: dec 9F67930076A4BE90238A05BA09963DD42E2023080000000500000048270000040000002802000000B35F86693CACBE23BAFE13DBC7DF0E94BA01B37846F2FB84AE8F70C7EB57A820
ike 0:VPN-v2:29: responder received AUTH msg
ike 0:VPN-v2:29: auth verify done
ike 0:VPN-v2:29: responder AUTH continuation
ike 0:VPN-v2:29: authentication succeeded
ike 0:VPN-v2:29: responder creating new child
ike 0:VPN-v2:29: mode-cfg type 7 request 16:'46435438303033313936343233343539'
ike 0:VPN-v2:29: mode-cfg received APPLICATION_VERSION 'FCT8003196423459'
ike 0:VPN-v2:29: mode-cfg type 1 request 0:''
ike 0:VPN-v2:29: IPv4 address requested, using DHCP
ike 0:VPN-v2:29: sending DHCP request
ike 0:39 response IP '10.220.0.128/255.255.255.0'
ike 0:VPN-v2:29: DHCP assigned address 10.220.0.128/255.255.255.0
ike 0:VPN-v2:29: DNS 10.220.0.107In IKEv1 the DHCP is sourced by the client and relayed by the FortiGate with a configured DHCP relay interface. Reference:
IPsec VPN with external DHCP service.
In IKEv2 the DHCP is sourced by the FortiGate and answered to the FortiGate only. FortiGate will assign the DHCP address via Mode config to the end user.
As FortiGate as the source is using always the same MAC address as an identifier, FortiGate will use option 61, Client Identifier as the exact username.
In IKEv2 the DHCP is sourced by the FortiGate and answered to the FortiGate only. FortiGate will assign the DHCP address via Mode config to the end user.
As FortiGate as the source is using always the same MAC address as an identifier, FortiGate will use option 61, Client Identifier as the exact username.
This implies, that this is only possible to assign an IP from the DHCP server by username.
If there are two times the same username on two different devices, expect to receive the same IP on both units, as the identifier is the same.
This will on be visible in the hexdump of the packet.
Option: (61) Client identifier
Length: 7
Length: 7
Client Identifier can be seen in the DHCP discover, it helps the DHCP server to manage its clients and leases.
For example, in the pcap, the username is 'vpnuser1'.
Related Articles:
Technical Tip: Configuring DHCP relay over IPSec VPN with overlapping subnets.
