Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NHC
New Contributor

Created on ‎06-15-2023 04:30 AM

DNS over IPsec VPN

Hi

 

My setup:

FortiClient VPN -> FortiGate 40F <- Site-2-Site -> Zyxel -> DC

FortiClient subnet: 10.45.130.0/24 (DNS: 10.1.8.16)

FortiGate subnet: 10.45.134.0/24 (DNS: 10.1.8.16)

DC: 10.1.8.0/24

 

FortiGate firmware: 6.4.6

FortiClient: 7.0.8.0427

 

When I'm with my client on the subnet 10.45.134.0/24, I can ping and resolve all hostnames of my domain. But when I'm connected through my FortiClient VPN, I can still ping all IP's just fine, but I can't resolve and DNS names of my internal network. It's like it's not using the DNS on 10.1.8.16.

 

I have configured dns name for my FortiClient:

config vpn ipsec phase1-interface
(phase1-interface) edit <VPN TUNNEL NAME>
(VPN TUNNEL NAME) set domain abcd.local
(VPN TUNNEL NAME) end

 

I have tried to disable split-tunneling on the VPN connection, but still no luck.

 

I then tried to create a DNS Database on the Fortigate

Type: Secondary

View: Shadow

DNS Zone: abcd.local

Domain Name: abcd.local

IP or Primary: 10.1.8.16

And from the CLI I set the Source IP:

config system dns-database

edit "abcd.local"

set source-ip 10.45.134.1

end

But still I can't resolve abcd.local

 

Hope anyone here has an idea what to try next, or if I might have made a mistake while setting it up.

Labels:
13493
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to NHC

Created on ‎06-15-2023 05:34 AM

So basically the VPN configurations looks correct since they push the DNS server. The DNS server is reached and can resolve names (policies ok) but it looks like Windows refuse to use this as valid DNS server.
If you run only > nslookup fortinet.com , which DNS server does respond to the query?

Can you try with a different client, is there any hypervisor active on this PC?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

13368
0 Kudos
16 REPLIES 16
NHC
New Contributor
In response to ebilcari

Created on ‎06-15-2023 06:17 AM

Testing from another Pc did work. So it might be an issue in the Sandbox environment.

Thanks for your help

2489
0 Kudos
srajeswaran
Staff
Staff
In response to NHC

Created on ‎06-15-2023 05:45 AM

You have same DNS on 2 adapters, can you do a route print and make sure the DNS is reachable via the VPN adapter?
Please ignore if this is completely stupid idea.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
2522
0 Kudos
NHC
New Contributor
In response to srajeswaran

Created on ‎06-15-2023 05:50 AM

Hi

That is because the VPN is connected. If I disconnect, I do only have it once :)

ipconfig.png

While it still was connected, I did the route print, which also looks good to me.

route print.png

2518
0 Kudos
srajeswaran
Staff
Staff
In response to NHC

Created on ‎06-15-2023 05:57 AM

When you tried to create the local DNS database on Fortigate, did you specify the sslvpn interface under "config system dns-server"?

 

Can you try that ?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-queries-over-a-FortiGate-loopback-inte...

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
2514
0 Kudos
NHC
New Contributor
In response to srajeswaran

Created on ‎06-15-2023 06:13 AM

Yes, I did use that interface.

dns-server.pngdns-service.pngdns-database.png

2495
0 Kudos
NHC
New Contributor

Created on ‎06-15-2023 06:00 AM

Here a picture of my Windows DNS server

dns-server.png

nslookup to HYTDC01.xxx.abcd.local

nslookup.png

Also ping to the same address

ping-dns.png

I'm about to install FortiClient on a new Pc to test.

2512
0 Kudos
NHC
New Contributor

Created on ‎06-15-2023 06:16 AM

Solution was found. When I tried to install the Client on a Pc, not a Sandbox or VM, then it does actually work. Feeling stupid for not trying that before.

 

Thanks all for suggestions.

2491
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.