Skip to main content
Datax_2502
Datax_2502
Explorer
January 19, 2022
Solved

Configure DNS-Server for specific Domain + IPsec Site2Site Tunnel over LTE-Connection

  • January 19, 2022
  • 1 reply
  • 5745 views

Hello friends,

 

I have the two following questions. Perhaps you can help me :-).

 

1. Is it possivle to configure a specific dns-server for a specific internal domain?

 

I need it to resolve internal FQDNs like abcde.internal-domain.com

by a dns-server I would like to speficy. The FortiGate-firewall should then pass the dns-requests

for this domain (for example abcde.internal-domain.com) to the dns-server which is resposible

for this domain.

 

For external FQDNs (for example www.google.de) the dns-servers under "Network" --> "DNS Servers" should be used (for example 8.8.8.8 or 1.1.1.1).

 

2. Is it possible to configure one side of an ipsec-site2site-tunnel (Fortigate-firewall on bith sides)

as "passive" and the other side as "active"? The goal is to establish an ipsec-tunnel where one side is connected to an lte-connection (mobile network) and the other side is connected to a dsl-connection (static ip address on wan-interface). The Fortigate-firewall on the lte-side should then be configured as the "active" side which initiates the tunnel an the Fortigate-firewall on the side with dsl-connection should be configured as "passive" (which "waits" for incoming connetion of the peer).

 

Can you help me with these questions? :)

Best answer by anikolov

Hello Datax_2502,

 

I would try to answer the questions with providing documentation:

 

1. Please check the following KB, master and slave fortigate for a domain:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGates-as-DNS-servers-in-Master/ta-p/190698

 

2. For this setup, you would need to configure IPSec tunnels with aggressive mode (for use of multiple tunnels on same interface, you need to specify a peer ID). The fortigate with static IP will be configured with option in phase 1 with “remote gateway: dialup user” (in your case the passive one), while the fortigate with dynamic IP should use “remote gateway: static IP address” (the "active" fortigate). Please check the documentation:

  • Fortigate as a dialup client:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/6896/fortigate-as-dialup-client

  • For multiple tunnels on one interface (ignore the part for forticlient as this is fortigate implementation):

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dialup/ta-p/192292?externalID=10114

  • Why you should use different peer IDs:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dynamic-IPsec-VPN-Responder-Dialup-Selection/ta-p/189931

 

Please let me know if the provided documentation helps.

 

Regards,

1 reply

anikolov
Staff
anikolovAnswer
Staff
February 20, 2022

Hello Datax_2502,

 

I would try to answer the questions with providing documentation:

 

1. Please check the following KB, master and slave fortigate for a domain:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGates-as-DNS-servers-in-Master/ta-p/190698

 

2. For this setup, you would need to configure IPSec tunnels with aggressive mode (for use of multiple tunnels on same interface, you need to specify a peer ID). The fortigate with static IP will be configured with option in phase 1 with “remote gateway: dialup user” (in your case the passive one), while the fortigate with dynamic IP should use “remote gateway: static IP address” (the "active" fortigate). Please check the documentation:

  • Fortigate as a dialup client:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/6896/fortigate-as-dialup-client

  • For multiple tunnels on one interface (ignore the part for forticlient as this is fortigate implementation):

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dialup/ta-p/192292?externalID=10114

  • Why you should use different peer IDs:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dynamic-IPsec-VPN-Responder-Dialup-Selection/ta-p/189931

 

Please let me know if the provided documentation helps.

 

Regards,

Datax_2502
Datax_2502Author
Explorer
March 19, 2022

Hi anikolov,

 

sorry for my late response.

 

Thanks a lot for your information. :)

 

But I still don't understand how to configure the dns-server on the FortiGate-firewall

to resolve external hosts with 8.8.8.8 and the hosts of my internal domain with the dns-server of my active directory.

 

Could you give an example for that? Or is there any website where I can look up how to configure this setup?

 

Best Regards

Datax

Terms & ConditionsAccessibility statement