Created on 05-28-2020 07:38 AM Edited on 10-16-2024 10:07 PM By Jean-Philippe_P
Description
This article describes how to troubleshoot when hostname is not accessible over IPsec VPN tunnel or SSL VPN connection.
Scope
FortiGate.
Solution
If resources are not accessible across a VPN tunnel by hostname, try the following steps:
Note: Making changes to VPN configuration can interrupt VPN connectivity.
Take a configuration backup and have administrative access to FortiGate that does not depend on VPN.
For SSL VPN:
config vpn ssl settings
set dns-suffix abcd.local
set dns-server1 10.1.2.3
end
For IPsec IKEv1 VPN:
config vpn ipsec phase1-interface
edit <IKEV1 TUNNEL NAME>
set type dynamic
set mode-cfg enable
set unity-support enable
set dns-mode manual
set ipv4-dns-server1 10.1.2.3
set domain abcd.local
end
Note: IKEv1 is the default IKE version for tunnels created using the IPsec Tunnel Wizard in GUI. The 'set domain' configuration will be available only for IKEv1. It requires the configuration 'set type dynamic', 'set mode-cfg enable', and 'set unity-support enable'.
For IPsec IKEv2 VPN:
config vpn ipsec phase1-interface
edit <IKEV2 TUNNEL NAME>
unset wizard-type
set ike-version 2
set type dynamic
set mode-cfg enable
set dns-mode manual
set ipv4-dns-server1 10.1.2.3
set internal-domain-list abcd.local
end
Note: The 'internal-domain-list' configuration will be available only for IKEv2. It requires FortiOS v7.2.8, v7.4.1, or later and the configuration 'set type dynamic' and 'set mode-cfg enable'.
Related Article:
Technical Tip: How to set DNS suffix for VPN SSL and IPsec in the FortiGate configuration
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.