Description
This article describes how to troubleshoot when hostname is not accessible over IPsec VPN tunnel or SSL VPN connection.
Scope
FortiGate.
Solution
If resources are not accessible across a VPN tunnel by hostname, try the following steps:
- Make sure to set up the DNS server properly when configuring SSL or IPSec VPN. In this example, server.abcd.local, which resolves to 10.1.2.3, will be used.
- Make sure it is possible to ping the IP address 10.1.2.3.
- Confirm to ping using FQDN: ping server.abcd.local.
- Check if it is possible to ping using the hostname of the ping server.
- If it is not possible to ping via hostname, configure the DNS suffix in the SSL and IPsec VPN configuration as below.
- Disconnect from the VPN and reconnect to retrieve the new VPN client configuration.
Note: Making changes to VPN configuration can interrupt VPN connectivity.
Take a configuration backup and have administrative access to FortiGate that does not depend on VPN.
For SSL VPN:
config vpn ssl settings
set dns-suffix abcd.local
set dns-server1 10.1.2.3
end
For IPsec IKEv1 VPN:
See this related document: IPsec DNS suffix.
config vpn ipsec phase1-interface
edit <IKEV1 TUNNEL NAME>
set type dynamic
set mode-cfg enable
set unity-support enable <----- This needs to be enabled to use the 'set domain' command.
set dns-mode manual
set ipv4-dns-server1 10.1.2.3
set domain abcd.local <----- This sets the default DNS domain for VPN clients.
end
Note:
IKEv1 is the default IKE version for tunnels created using the IPsec Tunnel Wizard in the GUI. The 'set domain' configuration will be available only for IKEv1. It requires the configuration 'set type dynamic', 'set mode-cfg enable', and 'set unity-support enable'.
For IPsec IKEv2 VPN:
In the current FortiOS versions (7.6.4 and 7.4.9), the use of search domains with IKEv2 is not supported.
Reference: IPsec DNS suffix.
It will be supported in future versions with the following commands:
config vpn ipsec phase1-interface
edit <tunnel_name>
set mode-cfg enable
set ike-version 2
set type dynamic
set ipv4-dns-server1
set ipv6-dns-server1
set dns-suffix-search example.com <----- This sets the default DNS domain for VPN clients.
next
end
For VDOM-enabled FortiGate:
config vdom
edit <vdom name>
config vpn ipsec phase1-interface
edit <tunnel_name>
set mode-cfg enable
set ike-version 2
set type dynamic
set ipv4-dns-server1
set ipv6-dns-server1
set dns-suffix-search example.com <----- This sets the default DNS domain for VPN clients.
next
end
IKEv2 supports assigning multiple DNS suffixes/domains. They must be separated by a space.
set dns-suffix-search example1.com example2.com example3.com
Note: If the command 'internal-domain-list' is previously set under phase 1, the command 'dns-suffix-search' will not be available. It is required to remove the command 'internal-domain-list' and then specify 'dns-suffix-search'.
config vpn ipsec phase1-interface
edit <tunnel name>
unset internal-domain-list
set dns-suffix-search example1.comexample2.comexample3.com
end
Troubleshooting:
If the access is still not working, verify if the DNS query is coming from the client end by performing a sniffer or Packet Capture:
diagnose sniffer packet any "host <client private IP over SSLVPN/IPsec> and port 53" 4 200 l
If there is no DNS query from the client, verify that the domain is configured correctly. If the DNS query is not being replied to, verify further if it is allowed by FortiGate by running Debugging the packet flow.
If a DNS query is being replied to, SYN is sent to the resolved domain, but it is not being replied to; verify if NAT is required on the policy being used.
Related article:
Technical Tip: How to set DNS suffix for VPN SSL and IPsec in the FortiGate configuration
