DNS resolution over IPsec/SSL VPN on Fortigate

Description
This article provides basic troubleshooting to follow when you are not able to access hostname over IPSec VPN tunnel or SSLVPN connection
Solution
 

If you are not able to access resources across VPN tunnel by hostname, check following steps:

(1)  Make sure to set DNS server properly when configuring SSL or IPsec VPN.  In this example a server .abcd.local which resolves to 10.1.2.3 will be used.

(2)  Make sure that you are able to ping using IP address, ping 10.1.2.3

(3)  Confirm whether you are able to ping using FQDN, ping server.abcd.local.

(4)  Check whether you are able to ping using hostname, ping server.  If you are not able to ping by hostname then we need to add suffix into SSL and IPsec VPN configuration

(5)  Configuring DNS suffix in SSL and IPsec VPN configuration.

For SSL VPN:

# config vpn ssl settings
(settings) # set dns-suffix abcd.local
(settings)# end

For IPsec VPN:

# config vpn ipsec phase1-interface
(phase1-interface) # edit <VPN TUNNEL>
(VPN TUNNEL) # set domain abcd.local 
(Dialup) # end

The set domain command will be available only when mode-cfg is enabled.
 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s