Aug 16 2010

Fortigate Dialup VPN Client Do Not Get DHCP Lease

Published by at 9:39 am under Fortinet

We use Fortinet VPN client Forticlient to connect to our Fortigate firewall with IPSEC encryption. We’d like to give clients a DHCP address so we do not have anything to manage other than user authentication.

Dialup VPN client do not seem to get an IP address although a DHCP pool is created and “DHCP-IPsec” is checked in the phase-2 VPN settings. An IPSEC ESP error is also raised in the Fortigate’s event log.
Setting a static IP address does connect the client.
The firewall receives DHCP requests but offers are not sent back into the IPSEC tunnel. To solve this, an additional firewall rule needs to be added to encrypt the DHCP traffic – DHCP only – from the inside to the outside interface.
Leave the source and destination addresses to “any” as this is a layer 2 issue. The client hasn’t been delivered an IP address yet! Set service to DHCP, action to IPSEC, and select appropriate VPN tunnel.

The screenshot was taken on a Fortiwifi but the configuration is the same on any Fortigate. IPSEC clients should now get a dynamic IP address though DHCP.

Fortigate DHCP IPSEC firewall rule

2 responses so far

2 Responses to “Fortigate Dialup VPN Client Do Not Get DHCP Lease”

  1. info on tf2 hackson 05 Jul 2012 at 9:24 pm

    I absolutely love your blog and find most of your
    post’s to be what precisely I’m looking for. Does one offer guest writers to write content in your case? I wouldn’t mind producing a post or elaborating on a few of the subjects you write in relation to here. Again, awesome blog!

  2. Peteon 13 Mar 2013 at 1:18 pm

    I was struggling with the same problem today. Luckily I found your post – it really helped a lot!

Comments RSS

Leave a Reply