Skip to main content
JvLeur
JvLeur
New Member
December 11, 2025
Question

IKEv2 MacOS split DNS

  • December 11, 2025
  • 3 replies
  • 1132 views

Hi,

When a non Forticlient MacOS user connects to IKEv2 IPSec they have issues with split tunnel DNS.
DNS queries are only using the tunnel when using dig and implicitly querying a specific DNS server.
This causes issues with other traffic.

dig quanza-eun-ufg71.q @172.28.8.53 ~
;; QUESTION SECTION:
;quanza-eun-ufg71.q. IN A

;; ANSWER SECTION:
quanza-eun-ufg71.q. 86401 IN A 172.28.8.139

;; SERVER: 172.28.8.53#53(172.28.8.53)

With IPSec tunnel

ping quanza-eun-ufg71.q
ping: cannot resolve quanza-eun-ufg71.q: Unknown host

dig quanza-eun-ufg71.q
;; QUESTION SECTION:
;quanza-eun-ufg71.q. IN A

;; SERVER: 172.20.10.1#53(172.20.10.1)

I have checked the debug of the IPSec tunnel initiation and do not see an obvious difference.
Both Forticlient and Non-Forticlient connections acquire the DNS servers in the mode-cfg.

This issue does not occur with IKEv1

 

    3 replies

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    December 11, 2025

    hi,

    when connecting to IPsec you need to confirm that the DNS servers are installed/propagated into the local DNS file/server /etc/resolv.conf and overwrites the existing ones or at least append them to the existing ones ?

    if not, i would start from there and see in the logs of the system.

     

    L.E. if you can, post a sanitized config of the IPsec VPN IKEv2 and I will try to replicate it in my lab and my MacOS machine.

    "jack of all trades, master of none"
      JvLeur
      JvLeurAuthor
      New Member
      December 11, 2025

      Hi,

      Thank you for your quick response. 
      The resolv.conf contains both DNS servers with a Forticlient but not with the native.

      I will check the logs.

       

      forticlient
      jeroenvl:log/ $ cat /etc/resolv.conf [13:04:08]
      search q
      nameserver 172.28.8.53
      nameserver 172.28.9.53

       

      native

      jeroenvl:log/ $ cat /etc/resolv.conf [13:12:45]
      nameserver 172.20.10.1



      Regarding the configuration, it is quite plain but here it is (sanitized).


      config vpn ipsec phase1-interface
      edit "QDIPS"
      set type dynamic
      set interface "VLAN709_OUTSIDE"
      set ike-version 2
      set keylife 28800
      set peertype one
      set net-device disable
      set mode-cfg enable
      set ipv4-dns-server1 172.28.8.53
      set ipv4-dns-server2 172.28.9.53
      set proposal aes256-sha512 aes256-sha384 aes256-sha256
      set dpd on-idle
      set comments "Quanza Engineers & NOC Dialup VPN"
      set dhgrp 20 19
      set eap enable
      set eap-identity send-request
      set authusrgrp "QUANZA_EMPLOYEES"
      set peerid "QDIPS"
      set ipv4-start-ip 172.28.12.1
      set ipv4-end-ip 172.28.12.127
      set ipv4-netmask 255.255.255.128
      set ipv4-split-include "QUANZA_ENGINEERS_ACCESSIBLE_LANS_VIA_IPSEC_VPN"
      set psksecret ENC <omitted> 
      set dpd-retryinterval 60
      next

      config vpn ipsec phase2-interface
      edit "QDIPS"
      set phase1name "QDIPS"
      set proposal aes256-sha512 aes256-sha384 aes256-sha256
      set dhgrp 20
      set keepalive enable
      set keylifeseconds 3600
      next

      Please let me know if you need more information.

      Best Regards,

      Jeroen

      funkylicious
      SuperUser
      funkylicious
      SuperUser
      December 11, 2025

      i followed this guide, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Apple-IOS-native-VPN-using-IKEv2-connection-for/ta-p/196052 and for me it works just fine ( i added my custom DNS server manually which is not in the guide ) .

      i can see the DNS server in /etc/resolv.conf ( just it alone when I connect and the default after disconnect ) and in System settings in the VPN profile in the DNS servers upon connection.

      "jack of all trades, master of none"
      kyle_koller
      kyle_koller
      New Member
      December 17, 2025

      Did you get any further on this? I've had the exact same behavior as you are describing where nslookups can be specifically directed to the DNS server but it won't use them by default even if it matches the domain. It also doesn't get added to the /etc/resolv.conf file, but it does get added to scutil --dns. 

       

      I'm not sure if this is the case for you, but I found out that if I use a browser to go to a page that only the local dns server would be able to get me to it does actually resolve correctly. I'm not sure if that is actually a problem or just a quirk of how Macs pick dns servers for nslookup queries. It definitely doesn't behave as described by the other commenter, updating the /etc/resolv.conf file on connect and disconnect, so maybe there is still a problem.

      JvLeur
      JvLeurAuthor
      New Member
      December 17, 2025

      Unfortunately no, I haven't resolved it yet.

       

      When I use Forticlient I can see the DNS servers in the Console log of MacOS and they get added to /etc/resolv.conf.
      When I use IKEv1 with Native, I don't get the /etc/resolv.conf DNS servers but it does work.
      When I use IKEv2 with Native, I don't get the /etc/resolv.conf DNS servers and it doesn't work.

      I don't have a use case where I need to use a browser. When I use ping or ssh in the terminal, it uses the local dns server instead of the remote DNS server.

      kyle_koller
      kyle_koller
      New Member
      December 17, 2025

      Ohh I misread, I've only tested with the Forticlient so far, so our behavior isn't the same. Maybe I'll try the native vpn to see if that is opposite for me as well.

      hoslerj2
      hoslerj2
      Visitor III
      May 8, 2026

      Man i can’t get this to work on Mac OS 26.2 native or the forticlient. 

      i can get connected to the fortigate just fine. Even see it in my connected clients. but it turns into a full tunnel on the Forti Client. 

       

      Anyone got any solutions? 

      Terms & ConditionsAccessibility statement