Help
Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Datax_2502
New Contributor II

Created on ‎01-19-2022 09:53 AM

Configure DNS-Server for specific Domain + IPsec Site2Site Tunnel over LTE-Connection

Hello friends,

 

I have the two following questions. Perhaps you can help me :-).

 

1. Is it possivle to configure a specific dns-server for a specific internal domain?

 

I need it to resolve internal FQDNs like abcde.internal-domain.com

by a dns-server I would like to speficy. The FortiGate-firewall should then pass the dns-requests

for this domain (for example abcde.internal-domain.com) to the dns-server which is resposible

for this domain.

 

For external FQDNs (for example www.google.de) the dns-servers under "Network" --> "DNS Servers" should be used (for example 8.8.8.8 or 1.1.1.1).

 

2. Is it possible to configure one side of an ipsec-site2site-tunnel (Fortigate-firewall on bith sides)

as "passive" and the other side as "active"? The goal is to establish an ipsec-tunnel where one side is connected to an lte-connection (mobile network) and the other side is connected to a dsl-connection (static ip address on wan-interface). The Fortigate-firewall on the lte-side should then be configured as the "active" side which initiates the tunnel an the Fortigate-firewall on the side with dsl-connection should be configured as "passive" (which "waits" for incoming connetion of the peer).

 

Can you help me with these questions? :)

Labels:
1013
0 Kudos
1 Solution
anikolov
Staff
Staff

Created on ‎02-20-2022 01:55 PM

Hello Datax_2502,

 

I would try to answer the questions with providing documentation:

 

1. Please check the following KB, master and slave fortigate for a domain:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGates-as-DNS-servers-in-M...

 

2. For this setup, you would need to configure IPSec tunnels with aggressive mode (for use of multiple tunnels on same interface, you need to specify a peer ID). The fortigate with static IP will be configured with option in phase 1 with “remote gateway: dialup user” (in your case the passive one), while the fortigate with dynamic IP should use “remote gateway: static IP address” (the "active" fortigate). Please check the documentation:

  • Fortigate as a dialup client:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/6896/fortigate-as-dialup-client

  • For multiple tunnels on one interface (ignore the part for forticlient as this is fortigate implementation):

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...

  • Why you should use different peer IDs:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dynamic-IPsec-VPN-Responder-Dialup-Selecti...

 

Please let me know if the provided documentation helps.

 

Regards,

Aleksandar Nikolov

View solution in original post

908
0 Kudos
2 REPLIES 2
anikolov
Staff
Staff

Created on ‎02-20-2022 01:55 PM

Hello Datax_2502,

 

I would try to answer the questions with providing documentation:

 

1. Please check the following KB, master and slave fortigate for a domain:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGates-as-DNS-servers-in-M...

 

2. For this setup, you would need to configure IPSec tunnels with aggressive mode (for use of multiple tunnels on same interface, you need to specify a peer ID). The fortigate with static IP will be configured with option in phase 1 with “remote gateway: dialup user” (in your case the passive one), while the fortigate with dynamic IP should use “remote gateway: static IP address” (the "active" fortigate). Please check the documentation:

  • Fortigate as a dialup client:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/6896/fortigate-as-dialup-client

  • For multiple tunnels on one interface (ignore the part for forticlient as this is fortigate implementation):

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...

  • Why you should use different peer IDs:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dynamic-IPsec-VPN-Responder-Dialup-Selecti...

 

Please let me know if the provided documentation helps.

 

Regards,

Aleksandar Nikolov
909
0 Kudos
Datax_2502
New Contributor II
In response to anikolov

Created on ‎03-19-2022 04:14 AM

Hi anikolov,

 

sorry for my late response.

 

Thanks a lot for your information. :)

 

But I still don't understand how to configure the dns-server on the FortiGate-firewall

to resolve external hosts with 8.8.8.8 and the hosts of my internal domain with the dns-server of my active directory.

 

Could you give an example for that? Or is there any website where I can look up how to configure this setup?

 

Best Regards

Datax

778
0 Kudos
Labels
Top Kudoed Authors
View all

Contact Us