Description
This article describes how to troubleshoot when hostname is not accessible over IPsec VPN tunnel or SSL VPN connection.
Scope
FortiGate.
Solution
If resources are not accessible across a VPN tunnel by hostname, try the following steps:
- Make sure to set up the DNS server properly when configuring SSL or IPSec VPN. In this example, server.abcd.local which resolves to 10.1.2.3 will be used.
- Make sure it is possible to ping IP address 10.1.2.3.
- Confirm to ping using FQDN: ping server.abcd.local.
- Check it is possible to ping using the hostname of the ping server.
- If it is not possible to ping via hostname, configure the DNS suffix in SSL and IPsec VPN configuration as below.
- Disconnect from the VPN and reconnect to retrieve the new VPN client configuration.
Note: Making changes to VPN configuration can interrupt VPN connectivity.
Take a configuration backup and have administrative access to FortiGate that does not depend on VPN.
For SSL VPN:
config vpn ssl settings
set dns-suffix abcd.local
set dns-server1 10.1.2.3
end
For IPsec IKEv1 VPN:
See this related document: IPsec DNS suffix
config vpn ipsec phase1-interface
edit <IKEV1 TUNNEL NAME>
set type dynamic
set mode-cfg enable
set unity-support enable <----- This needs to be enabled to use the 'set domain' command.
set dns-mode manual
set ipv4-dns-server1 10.1.2.3
set domain abcd.local <----- This sets the default DNS domain for VPN clients.
end
Note:
IKEv1 is the default IKE version for tunnels created using the IPsec Tunnel Wizard in the GUI. The 'set domain' configuration will be available only for IKEv1. It requires the configuration 'set type dynamic', 'set mode-cfg enable', and 'set unity-support enable'.
For IPsec IKEv2 VPN:
The use of Search Domains with IKEv2 requires FortiOS version 7.6.4 or later and FortiClient version 7.4.4 or later
config vpn ipsec phase1-interface
edit <tunnel_name>
set mode-cfg enable
set ike-version 2
set type dynamic
set ipv4-dns-server1
set ipv6-dns-server1
set dns-suffix-search example.com <----- This sets the default DNS domain for VPN clients.
next
end
For VDOM-enabled FortiGate:
config vdom
edit <vdom name>
config vpn ipsec phase1-interface
edit <tunnel_name>
set mode-cfg enable
set ike-version 2
set type dynamic
set ipv4-dns-server1
set ipv6-dns-server1
set dns-suffix-search example.com <----- This sets the default DNS domain for VPN clients.
next
end
IKEv2 supports assigning multiple DNS suffixes/domains. They must be separated by a space.
set dns-suffix-search example1.com example2.com example3.com
Note:
FortiClient 7.4.4 no longer supports IKEv1 for IPsec VPN and does not include a free VPN-only agent. Users can continue to use the FortiClient 7.4.3 free VPN-only agent, which supports IKEv1. For more information, see Special notices | FortiClient 7.4.4 | Fortinet Document Library.
Troubleshooting:
If the access is still not working, verify if the DNS query is coming from the client end by performing a sniffer or Packet Capture :
diagnose sniffer packet any "host <client private IP over SSLVPN/IPsec> and port 53" 4 200 l
If there is no DNS query from the client, verify that the domain is configured correctly. If the DNS query is not being replied to, verify further if it is allowed by FortiGate by running Debugging the packet flow
If a DNS query is being replied to, SYN is sent to the resolved domain, but it is not being replied to; verify if NAT is required on the policy being used.
Related article:
Technical Tip: How to set DNS suffix for VPN SSL and IPsec in the FortiGate configuration
