FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff
Article Id 191850

Description

 

This article describes how to troubleshoot when hostname is not accessible over IPsec VPN tunnel or SSL VPN connection.

 

Scope

 

FortiGate.

Solution

 

If resources are not accessible across a VPN tunnel by hostname, try the following steps:

 

  1. Make sure to set up the DNS server properly when configuring SSL or IPSec VPN. In this example, a server .abcd.local which resolves to 10.1.2.3 will be used.
  2. Make sure it is possible to ping IP address 10.1.2.3.
  3. Confirm to ping using FQDN: ping server.abcd.local.
  4. Check it is possible to ping using the hostname of the ping server.
  5. If it is not possible to ping, configure the DNS suffix in SSL and IPsec VPN configuration as below.
  6. Disconnect from the VPN and reconnect to retrieve the new VPN client configuration.


Note: Making changes to VPN configuration can interrupt VPN connectivity.
Take a configuration backup and have administrative access to FortiGate that does not depend on VPN.

For SSL VPN:

 

config vpn ssl settings

    set dns-suffix abcd.local
    set dns-server1 10.1.2.3

end

 

For IPsec IKEv1 VPN:

 

config vpn ipsec phase1-interface

    edit <IKEV1 TUNNEL NAME>

        set type dynamic
        set mode-cfg enable
        set unity-support enable
        set dns-mode manual
        set ipv4-dns-server1 10.1.2.3

        set domain abcd.local

end


Note: IKEv1 is the default IKE version for tunnels created using the IPsec Tunnel Wizard in GUI. The 'set domain' configuration will be available only for IKEv1. It requires the configuration 'set type dynamic', 'set mode-cfg enable', and 'set unity-support enable'.

For IPsec IKEv2 VPN:

config vpn ipsec phase1-interface

    edit <IKEV2 TUNNEL NAME>

        unset wizard-type

        set ike-version 2

        set type dynamic
        set mode-cfg enable
        set dns-mode manual
        set ipv4-dns-server1 10.1.2.3

        set internal-domain-list abcd.local

end


Note: The 'internal-domain-list' configuration will be available only for IKEv2. It requires FortiOS v7.2.8, v7.4.1, or later and the configuration 'set type dynamic' and 'set mode-cfg enable'.

 

Related Article:

Technical Tip: How to set DNS suffix for VPN SSL and IPsec in the FortiGate configuration