Skip to main content
Giammo94
Giammo94
Explorer
May 21, 2025
Question

Forticlient Android - Fortigate Dial-up IPsec IKEv2 DNS suffix

  • May 21, 2025
  • 2 replies
  • 2065 views

Hello,

 

I configured an IPsec Ikev2 Dialup VPN on a Fortigate 2200E in 7.4.7. based on certificates.
The Android tablets run the latest version of Forticlient available and their OS is Android 14.
The customer wanted a full-tunnel, inside the HQ network there is a proxy for Internet access, while everything else must (or should) transit on the internal network avoiding the proxy server. The VPN has the mode-cfg enabled and the DNS are passed. Unfortunately in IKEv2 I cannot set the DNS suffix, but the customer would need it because otherwise every URL that searches in the tablet browser ends up on the search engine. How can I solve this situation?
On Android, the proxy is configured under the APN settings, unlike Windows which is done on the Browser.
Searching through Forums and KB I managed to trace that it is enough to change the IKE VPN from v2 to V1, is this really the only solution? I know there is an option under the phase1-interface "set internal-domain-list" but what's the point of using this in a full-tunnel environment? 

 

2 replies

AEK
SuperUser
AEK
SuperUser
May 21, 2025

Hi Giammo

I see your users are using hostname without FQDN.

Why don't use FQDN? In that case you don't need to set DNS suffix.

AEK
Giammo94
Giammo94Author
Explorer
May 25, 2025

Hi AEK,

i'm sorry for keep you waiting. There is no reason why they use the hostname instead of the FQDN, i guess it is just because they were browsing like that before.

Of course i know it can be solved using some bookmarks in the browser containing the FQDN, it's just a matter of user experience.

 

 

ede_pfau
SuperUser
ede_pfau
SuperUser
May 25, 2025

According to FTNT documentation, there is no DNS suffix support in IKE v2.

e.g. https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/707911/ipsec-dns-suffix 

 

But, as IKE v2 supports DHCP IP address assignment in addition to static IP ranges, you might be lucky with setting up DHCP option 15 (domain). I haven't had to configure this scenario yet for DHCP over IPsec so you might be the first to report back if it works:

https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/45773/dhcp-options 

 

    Giammo94
    Giammo94Author
    Explorer
    June 3, 2025

    In theory it's a great idea. As soon as the customer gives me permission to work on it, I'll let you know if it works.

    Thanks in advance

    Terms & ConditionsAccessibility statement