Fortigate Dialup VPN Client Gets no DHCP Lease

Fortigate Dialup VPN client does not get an IP address although a DHCP pool is created and “DHCP-IPsec” is checked in the phase-2 VPN settings. An IPSEC ESP error is also raised in the event log.
Setting a static IP does connect the client.

To solve this, an additional firewall rule needs to be added to encrypt the DHCP traffic – DHCP only – from the inside to the outside interface. Leave the source and destination addresses to “any” as this is a layer 2 issue (the client hasn’t been delivered an IP address yet!)