Description
This article describes the requirements needed for the FortiGate to be able to intercept, process and reply the DNS queries coming over the SSL VPN tunnel.
Scope
Topology:
Windows FortiClient (IP: 10.10.10.100) - FortiGate (local dns database).
Solution
In some cases, users have SSL VPN working to allow communications with devices on the LAN/internal interface, but the DNS of the FortiGate LAN IP is not answering. In these cases, it is sometimes sufficient to add the SSL VPN tunnel interface as 'recursive' in the 'DNS Services on Interface' section, which should allow it to answer DNS without additional configuration for queries originating from the SSL VPN interface and subnet.
If this solution does not suffice or more information is necessary, consult the rest of this article.
Configure the following in the CLI:
VPN configuration
config vpn ssl settings
set status enable
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 10.180.20.2
set source-interface "wan2"
set source-address "all"
set source-address6 "all"
set default-portal "tunnel-access"
end
Local interface used in DNS:
config system interface
edit "loopback_test"
set vdom "root"
set ip 10.180.20.2 255.255.255.255
set allowaccess ping
set type loopback
set role lan
set snmp-index 52
next
end
Firewall policy to allow DNS traffic
config firewall policy
edit 4
set name "DNS- policy"
set srcintf "ssl.root"
set dstintf "loopback_test"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "DNS"
set nat enable
set users "guest"
next
end
Local DNS database configuration
config system dns-database
edit "Local-server"
set domain "fortinet.com"
set ttl 900
set authoritative disable
config dns-entry
edit 1
set hostname "first"
set ip 172.16.1.1
next
end
next
end
Enable DNS service on both interface (dialup and local interface).
config system dns-server
edit "loopback_test"
next
edit "ssl.root"
next
end
Next, connect the SSL VPN.
Testing implementation
C:\Users\fortinet>nslookup first.fortinet.com
Server: UnKnown
Address: 10.180.20.2
Non-authoritative answer:
Name: first.fortinet.com
Address: 172.16.1.1
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.