Chapter 10 IPsec VPN : Supporting IKE Mode config clients : Configuring IKE Mode Config : Configuring an IKE Mode Config server : IP address assignment
  
IP address assignment
Usually you will want to assign IP addresses to clients. The simplest method is to assign addresses from a specific range, similar to a DHCP server.
If your clients are authenticated by a RADIUS server, you can obtain the user’s IP address assignment from the Framed-IP-Address attribute. The user must be authenticated using XAuth.
IKE Mode Config can also use a remote DHCP server to assign the client IP addresses. Up to eight addresses can be selected for either IPv4 or IPv6. After the DHCP proxy has been configured, the assign-ip-from command is used to assign IP addresses via DHCP.
To assign IP addresses from an address range - CLI
If your VPN uses IPv4 addresses,
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg-ipversion 4
set assign-ip enable
set assign-ip-type ip
set assign-ip-from range
set ipv4-start-ip <range_start>
set ipv4-end-ip <range_end>
set ipv4-netmask <netmask>
end
If your VPN uses IPv6 addresses,
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg-ipversion 6
set assign-ip enable
set assign-ip-type ip
set assign-ip-from range
set ipv6-start-ip <range_start>
set ipv6-end-ip <range_end>
end
To assign IP addresses from a RADIUS server - CLI
The users must be authenticated by a RADIUS server and assigned to the FortiGate user group <grpname>. Since the IP address will not be static, type is set to dynamic, and mode-cfg is enabled. This is IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides.
config vpn ipsec phase1-interface
edit vpn1
set type dynamic
set mode-cfg enable
set assign-ip enable
set assign-ip-from usrgrp
set xauthtype auto
set authusrgrp <grpname>
end
To assign IP address from DHCP - CLI
The DHCP proxy must first be enabled for IKE Mode Config to use DHCP to assign the VPN client IP address(es).
config system settings
set dhcp-proxy enable
set dhcp-server-ip [ipv4 address]
set dhcp6-server-ip [ipv6-address]
(Up to 8 server addresses can be configured)
end
 
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg enable
set assign-ip-from dhcp
next
end