Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager

Created on ‎04-29-2020 10:18 AM

Article Id 197735

Technical Tip: Using FortiGate as a DNS server with local database for a dialup IPsec VPN user

Description
This article describes the requirements needed for the FortiGate to be able to intercept, process and reply the DNS queries coming over the dial up tunnels.


Solution
Topology.

Windows FortiClient (IP : 10.10.10.100) - FortiGate ( local dns database)

CLI configuration.

VPN configuration.
# config vpn ipsec phase1-interface
    edit "ipsec"
        set type dynamic
        set interface "port3"
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 10.180.20.2
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set comments "VPN: ipsec (Created by VPN wizard)"
        set xauthtype auto
        set authusrgrp "dialup_group"
        set ipv4-start-ip 10.10.10.100
        set ipv4-end-ip 10.10.10.120
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC z8ffB+0sD0eDaaTMu7x+0nxRMWZCxiWJPIIqnVIAgzTHrIbOafD7cLfzT4pPR0NuVb4zlLK1jQgQcwd0PXrHHFipcepB9Ft2zWVOxU0hbrQhiRXS0qOPyoKr6F0ydnNHsVPoa402Rlyo7tn6/u63GIM6Xt6FKmg2pQYohEtBBSmhlW5YJNvxiqsNEdZ+mfd/NcDv9Q==
        set dpd-retryinterval 60
    next
Local interface used in DNS.
# config system interface
    edit "loopback_test"
        set vdom "root"
        set ip 10.180.20.2 255.255.255.255
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 14
        end
Firewall policy to allow DNS traffic.
# config firewall policy
    edit 1
        set name "dns_loopback"
        set uuid 5d2dbc6c-87e2-51ea-1b9f-8b15babd3dca
        set srcintf "ipsec"
        set dstintf "loopback_test"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
Local DNS database configuration.
# config system dns-database
    edit "Local-server"
        set domain "fortinet.com"
        set ttl 900
        set authoritative disable
        # config dns-entry
            edit 1
                set hostname "first"
                set ip 172.16.1.1
            next
        end
    next
end
Enable DNS service on both interface (dialup and local interface).
# config system dns-server
    edit "loopback_test"
next
    edit "ipsec"
next
end
Testing implementation.
C:\Users\fortinet>nslookup first.fortinet.com
Server:  UnKnown
Address:  10.180.20.2

Non-authoritative answer:
Name:    first.fortinet.com
Address:  172.16.1.1



Labels:
3919
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.