Technical Tip: Adding multiple DNS suffixes to SSLVPN tunnel and IPsec dial up VPN tunnel configuration

Description

This article describes commands that can be used to add multiple DNS suffixes/domains to resolve host names when connected to an SSL VPN/IPsec dial-up VPN tunnel.

Scope

FortiGate.

Solution

This configuration option is not available in the GUI interface; it can be set using the CLI.

Run the following command:
For SSL VPN:

config vpn ssl settings
    set dns-suffix domain1.com;domain2.com;domain3.com;domain4.com;domain5.com
end

Note there is a maximum limit of 253 characters.

IKEv1 only supports assigning a single DNS suffix/domain. Therefore, DNS suffixes for IKEv1 cannot be configured.

For IPsec IKEv1 VPN:

config vpn ipsec phase1-interface

    edit <IKEV1 TUNNEL NAME>

        set type dynamic
        set mode-cfg enable
        set unity-support enable  <----- This needs to be enabled to use the 'set domain' command.
        set dns-mode manual      
        set ipv4-dns-server1 10.1.2.3

        set domain abcd.local     <----- This sets the default DNS domain for VPN clients.

end

IKEv2 supports assigning multiple DNS suffixes/domains and must be separated by a space.

For IPsec IKEv2 VPN: