FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the issue of DNS resolution not working over a remote access IPsec tunnel. It provides a step-by-step guide to resolving the issue by configuring the DNS suffix in the IPsec Phase 1 interface.
Scope
FortiGate.
Solution
To resolve the issue of DNS resolution not working over a remote access IPsec tunnel, follow these steps:
Go toVPN->IPsec->Phase 1and edit the existing phase 1 configuration.
In the phase 1 configuration, enableUnity Supportand set theDomainto the desired DNS suffix.
The configuration should look like this:
config vpn ipsec phase1-interface edit <name> set unity-support enable set domain <string> next end
After making the changes, disconnect and reconnect the VPN client to test the DNS resolution.
By following these steps, the DNS suffix will be configured correctly, and DNS resolution should work as expected for short hostnames over the remote access IPsec tunnel.
The Cisco Unity Configuration Method extensions, which are related to this parameter 'unity-support', are specific to Cisco’s IKEv1-based implementation, so it is not possible to enable it when using IKEv2, and the option is hidden as a consequence.
