Technical Tip: How to add secondary DNS server in dialup IPsec VPN setting

Description

This article describes how to configure a single DNS server IP from the GUI.

Scope

FortiGate.

Single DNS configuration while using the IPSEC wizard tool.

DNS configuration in existing IPSEC tunnel.

Solution

Edit the VPN tunnel from CLI.

config  vpn ipsec phase1-interface
    edit <vpn name>
        set dns-mode manual
        set ipv4-dns-server1 3.3.3.3
        set ipv4-dns-server2 4.4.4.4
end

The dial-up VPN client will get 3.3.3.3 as the primary and 4.4.4.4 as the secondary DNS server.

Note: The GUI only displays ONE DNS field. 

• This field corresponds solely to the Primary DNS
• There is no graphical field for the Secondary DNS
• FortiGate supports up to 3 DNS servers configured via CLI:

        set ipv4-dns-server3

• The example above describes a full-tunnel dial-up VPN configuration.

If split tunneling is enabled and internal DNS servers are used, ensure that the configured DNS server IP addresses are included in the accessible (split-tunnel) networks. Otherwise, DNS resolution for internal resources will fail since traffic to the DNS servers will not be routed through the VPN.