FortiClient_DHCP-Over-IPSec_to_Fortigate

Introduction

This configuration demonstrates how to connect a Forticlient to a Fortigate using

DHCP-Over-IPSec feature.

 

 

Prerequisites

Components Used

u    Forticlient V1.0-build207

u    Fortigate V2.8-build132

u    Linux Redhat 9.0(server)

 

 

Configure

NetworkDiagram
 

ConfigurationSteps

  FortiGate:

1Addaphase1configurationtodefinetheparameters usedtoauthenticatethe remote

VPNpeer.

2Addthephase2configurationtodefinetheparameters usedtocreateandmaintain theAutoKey VPN tunnel.

3Select AdvancedandselectDHCP-IPsec tosupportDHCPoverIPSec.

4Addthefirewall configurationrequiredfor theVPN.

5Configuretheexternal interfacefor DHCP relay.

Forticlient

1GotoVPN> Connections.

2Select Addtoaddanew connection,or selectEdittoeditanexistingconnection.

3Select Advanced.

4IntheAdvancedSettings dialogbox,selectAcquirevirtual IPaddress.

5SelectConfig.

6SelectDynamic HostConfigurationProtocol (DHCP) over IPSec.(Thedefault isDHCP)

7SelectOK.

 

 

 DHCPserver

(1)install LinuxRedhat 9.0

(2)download DHCPserver softwarefromwww.isc.org/sw/dhcpand install itonLinux

(3)rundhcpd-dtohaveDHCPserver work andgetdetailedDHCPevents

 

 

Verify

u    Click TestbuttonofForticlient toverify whether DHCP-over-IPSec canrunnormally.

 DHCPservershows thefollowing messages ifsuccessful

DHCPDISCOVER from00:0e:a6:2c:84:9e (qa-d)via192.168.1.99

DHCPOFFERon 192.168.1.80to 00:0e:a6:2c:84:9e(qa-d) via 192.168.1.99

DHCPREQUEST for 192.168.1.80 (192.168.1.222) from 00:0e:a6:2c:84:9e qa-d)via192.168.1.99

DHCPACK on 192.168.1.80 to 00:0e:a6:2c:84:9e (qa-d) via192.168.1.99

 

 

Troubleshoot

RundiagnosedebugapplicationIKE2on Fortigatetodetectproblems

 

 

RelatedInformation

FortGateAdministrationGuide(v2.80)(availableoninfo.fortinet.com)

 ForticlientUserGuide

 RFC 3456,Dynamic HostConfigurationProtocol (DHCPv4) ConfigurationofIPsec Tunnel

Mode.