Aug 16 2010
Fortigate Dialup VPN Client Do Not Get DHCP Lease
We use Fortinet VPN client Forticlient to connect to our Fortigate firewall with IPSEC encryption. We’d like to give clients a DHCP address so we do not have anything to manage other than user authentication.
Dialup VPN client do not seem to get an IP address although a DHCP pool is created and “DHCP-IPsec” is checked in the phase-2 VPN settings. An IPSEC ESP error is also raised in the Fortigate’s event log.
Setting a static IP address does connect the client.
The firewall receives DHCP requests but offers are not sent back into the IPSEC tunnel. To solve this, an additional firewall rule needs to be added to encrypt the DHCP traffic – DHCP only – from the inside to the outside interface.
Leave the source and destination addresses to “any” as this is a layer 2 issue. The client hasn’t been delivered an IP address yet! Set service to DHCP, action to IPSEC, and select appropriate VPN tunnel.
The screenshot was taken on a Fortiwifi but the configuration is the same on any Fortigate. IPSEC clients should now get a dynamic IP address though DHCP.
I absolutely love your blog and find most of your
post’s to be what precisely I’m looking for. Does one offer guest writers to write content in your case? I wouldn’t mind producing a post or elaborating on a few of the subjects you write in relation to here. Again, awesome blog!
I was struggling with the same problem today. Luckily I found your post – it really helped a lot!