Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff

Created on ‎05-28-2020 07:38 AM Edited on ‎06-10-2025 10:31 PM By Community Manager

Article Id 191850

Troubleshooting Tip: DNS resolution over IPsec/SSL VPN

Description

 

This article describes how to troubleshoot when hostname is not accessible over IPsec VPN tunnel or SSL VPN connection.

 

Scope

 

FortiGate.

Solution

 

If resources are not accessible across a VPN tunnel by hostname, try the following steps:

 

  1. Make sure to set up the DNS server properly when configuring SSL or IPSec VPN. In this example, a server .abcd.local which resolves to 10.1.2.3 will be used.
  2. Make sure it is possible to ping IP address 10.1.2.3.
  3. Confirm to ping using FQDN: ping server.abcd.local.
  4. Check it is possible to ping using the hostname of the ping server.
  5. If it is not possible to ping, configure the DNS suffix in SSL and IPsec VPN configuration as below.
  6. Disconnect from the VPN and reconnect to retrieve the new VPN client configuration.


Note: Making changes to VPN configuration can interrupt VPN connectivity.
Take a configuration backup and have administrative access to FortiGate that does not depend on VPN.

For SSL VPN:

 

config vpn ssl settings

    set dns-suffix abcd.local
    set dns-server1 10.1.2.3

end

 

For IPsec IKEv1 VPN:

 

config vpn ipsec phase1-interface

    edit <IKEV1 TUNNEL NAME>

        set type dynamic
        set mode-cfg enable
        set unity-support enable  <----- This needs to be enabled to use the 'set domain' command.
        set dns-mode manual      
        set ipv4-dns-server1 10.1.2.3

        set domain abcd.local     <----- This sets the default DNS domain for VPN clients.

end


Note: IKEv1 is the default IKE version for tunnels created using the IPsec Tunnel Wizard in the GUI. The 'set domain' configuration will be available only for IKEv1. It requires the configuration 'set type dynamic', 'set mode-cfg enable', and 'set unity-support enable'.

For IPsec IKEv2 VPN:

config vpn ipsec phase1-interface

    edit <IKEV2 TUNNEL NAME>

        unset wizard-type

        set ike-version 2

        set type dynamic
        set mode-cfg enable
        set dns-mode manual
        set ipv4-dns-server1 10.1.2.3

        set internal-domain-list abcd.local

end


Note:

The 'internal-domain-list' configuration will be available only for IKEv2. It requires FortiOS v7.2.8, v7.4.1, or later and the configuration 'set type dynamic' and 'set mode-cfg enable'.

 

Troubleshooting :

 

If the access is still not working, verify if the DNS query is coming from the client end by performing a sniffer or Packet Capture :

 

diagnose sniffer packet any "host <client private IP over SSLVPN/IPsec> and port 53" 4 200 l

 

If there is no DNS query from the client, verify that the domain is configured correctly. If the DNS query is not being replied to, verify further if it is allowed by Fortigate by running debug flow

 

If a DNS query is being replied to, SYN is sent to the resolved domain, but it is not being replied to; verify if NAT is required on the policy being used.

 

Related article:

Technical Tip: How to set DNS suffix for VPN SSL and IPsec in the FortiGate configuration

52453
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.