This article will guide you through the process of enabling DHCP relay over IPsec using a Fortigate firewall, ensuring that clients on remote networks can receive IP addresses.
Table of contents
Before you begin, ensure you have the following prerequisites in place:
Access to Cloudi-Fi Admin Console: You must have access to the Cloudi-Fi admin console to obtain DHCP and IPsec-related information.
Create Cloudi-Fi Locations and Subnets: Within the Cloudi-Fi admin console, create the necessary locations and subnets that correspond to your network setup.
Understanding of Your Network, Subnets, and Firewall Configuration: Clearly understand your network topology, subnets, and your FortiGate firewall's configuration.
- FortiGate Firewall: Access to your FortiGate dashboard.
Step 1: Get DHCP and IPsec Info from Cloudi-DHCP Admin Console
- Log in to your Cloudi-Fi dashboard
Navigate to Networks > DHCP
- Select your desired location, which should correspond to the network where you want to enable DHCP relay over IPsec.
- IPsec tunnel information
- FQDN, IPv4 or user FQDN
- Pre-shared key
Under Cloudi-Fi, find and note down the following information:
- Service Subnet
- DHCP Relay IP
Additionally, locate the IPsec endpoint within Cloudi-Fi:
- Under IPsec servers, identify the IPsec endpoint that corresponds to your FortiGate firewall.
Step 2: IPsec tunnel configuration
- Log in to your FortiGate firewall
- Navigate to VPN > IPsec Tunnels
- Create a new IPsec Tunnel with
- Name: Give it a name
- Template type: Custom
- Network Configuration
- Remote Gateway: Static IP Address
- IP address: Terminator 1 or Terminator 2
- Interface: Your WAN Interface
- NAT Traversal: Enable
- Method: Pre-shared Key
- Pre-shared Key: Your Pre-shared key (identical to the one configured on the Cloudi-Fi side)
- IKE version: 2
- Phase 1 Proposal: Recommended settings
- Phase 2 Selectors
- Local Address: addr_subnet - 0.0.0.0/0
- Remote Address: addr_subnet - Your Service subnet (in this example 172.24.46.64/28)
- Encryption & Authentication
Step 3: Static Routes
- Navigate to Network > Static Routes
- Create a new one
- Destination: Your Service subnet (in this example 172.24.46.64/28)
- Interface: IPsec tunnel you’ve created in the previous step
Step 4: Create or update your SSID or VLAN
- Navigate to your SSID or VLAN configuration
- Under the Address section, set your IP Address, which will be the default gateway for your SSID or VLAN
- Enable the DHCP Server and configure it as follows
- Mode: Relay
- Type: IPsec
- DHCP Server IP: One of the Service Addresses
Step 5: Firewall Policy
- Navigate to Policy & Objects > Firewall Policy
- Add a new IPv4 Policy and configure it as follows
- Incoming Interface: Your SSID or VLAN
- Outgoing Interface: Your IPsec tunnel
- Source: Your Subnet
- Destination: All
- Service: DHCP
- Action: ACCEPT
By following the steps outlined in this guide and using the information obtained from the Cloudi-Fi admin console, you can make sure that DHCP requests from remote networks are correctly relayed to the DHCP server, allowing clients to receive IP addresses and network configurations seamlessly.
If you encounter issues with DHCP relay over IPsec, consider the following troubleshooting steps:
- Double-check the configuration settings, including interface selection, DHCP server IP address, and source IP address.
- Verify that the IPsec tunnel is operational and correctly configured.
- Ensure that firewall policies and routing rules allow traffic between the source and destination networks.
- Check the DHCP server logs for any incoming requests or issues on the server side.