DNS resolution over IPsec/SSL VPN on Fortigate

Description
This article provides basic troubleshooting to follow when you are not able to access hostname over IPSec VPN tunnel or SSLVPN connection
Solution
 

If you are not able to access resources across VPN tunnel by hostname, check following steps:

(1)  Make sure to set DNS server properly when configuring SSL or IPsec VPN.  In this example a server .abcd.local which resolves to 10.1.2.3 will be used.

(2)  Make sure that you are able to ping using IP address, ping 10.1.2.3

(3)  Confirm whether you are able to ping using FQDN, ping server.abcd.local.

(4)  Check whether you are able to ping using hostname, ping server.  If you are not able to ping by hostname then we need to add suffix into SSL and IPsec VPN configuration

(5)  Configuring DNS suffix in SSL and IPsec VPN configuration.

For SSL VPN:

# config vpn ssl settings
(settings) # set dns-suffix abcd.local
(settings)# end

For IPsec VPN:

# config vpn ipsec phase1-interface
(phase1-interface) # edit <VPN TUNNEL>
(VPN TUNNEL) # set domain abcd.local 
(Dialup) # end

The set domain command will be available only when mode-cfg is enabled. 
http://kb.fortinet.com/kb/documentLink.do?externalID=FD38844
Also, set domain command does not work if you have set unity-support disabled.
You need to do “unset unity-support” or “set unity-support enable” first on the VPN Tunnel and then set domain command will then become available.
(Credits to Adam Blair for sharing this information to me 🙂 )
Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s