Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff

Created on ‎09-11-2019 05:43 AM Edited on ‎02-26-2026 06:12 AM By Community Manager

Article Id 198129

Technical Tip: Setting multiple DNS server for IPsec dial-up VPN

Description

 

This article describes the steps to configure multiple DNS servers for IPsec dial-up VPN.

 

Scope

 

FortiGate.

Solution

 

Note: Up to 3 IPv4 DNS servers and 3 IPv6 DNS servers for dial-up tunnel can be configured.

Note: If already having VPN Dialup configured, skip to item 5. 'Configuration in CLI'.

 

Initial configuration (if having not yet configured VPN Dialup)

  1. First go to the menu on the left and start the configuration by selecting: VPN --> IPsec Wizard.
  2. In step 1 of the wizard, 'VPN Setup'.
  • Specify the VPN Dialup name to identify the tunnel in the FortiGate.
  • Select the type of template 'Remote Access'.
  • Choose the device/connection type of the user's device to configure settings based on the most popular platforms

Client-based: Connection application (FortiClient or Cisco Client).
Native: Connection with the device natively (IOS, Android, Windows), without additional applications.

Capture.png

 

  1. In step 2 of the wizard, 'Authentication'.

    • Configure the parameters of the interface where it will be listening for remote connection, authentication method, pre-shared key, and group of users that will be allowed to connect to the VPN.

    Capture2.png

     

  2. In step 3 of the wizard, 'Policy & Routing'.

    Configure the parameters of:

    • The local interface and local subnet where Dialup users will connect.
    • The range of IP addresses that will be granted to Dialup users when they connect and the subnet mask of that IP range.
    • On the DNS server, select the 'Specify' option and establish the first DNS IP to use.
      The other 2 IPv4 DNS servers or the 3 IPv6 DNS servers, can be added via CLI once the wizard has been completed in the GUI and the configuration has been saved.

    Capture3.png

     

    • Continue with the next step, select user options in 'Client Options'.
    • Then, Complete the wizard to the next step, review the configuration summary, and select 'Create'.

  1. Configuration in the CLI

    Below is shown in the CLI, the configuration made through the GUI, and how to proceed to configure the other 2 IPv4 DNS servers.

    Note: By default, DNS mode will be set to auto. It is possible to change that to manual in the next steps.
     

    This is how the VPN configuration looked in the CLI after creating it in the GUI Wizard.

    Capture4.png

     

    • These are the options and the number of additional DNS servers that it is possible to add.

     Capture5.png

     

    • Next, set DNS mode to manual and add the additional IPs of DNS servers.

             The configuration can be reviewed with the 'show' or 'show full' command.

    Capture6.png

     

    • Proceed to save the configuration with the 'end' command.

      Capture7.PNG

     

Note: The preference of the DNS server in the user machine is based on which DNS server IP is configured first under phase1 configuration.

 

For example:

 

set ipv4-dns-server1 10.1.1.1  <----- 1st order.

set ipv4-dns-server2 8.8.8.8   <----- 2nd order.

 

In the example above, the DNS server 10.1.1.1 will be given first preference.

35736
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.