Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NHC
New Contributor

Created on ‎06-15-2023 04:30 AM

DNS over IPsec VPN

Hi

 

My setup:

FortiClient VPN -> FortiGate 40F <- Site-2-Site -> Zyxel -> DC

FortiClient subnet: 10.45.130.0/24 (DNS: 10.1.8.16)

FortiGate subnet: 10.45.134.0/24 (DNS: 10.1.8.16)

DC: 10.1.8.0/24

 

FortiGate firmware: 6.4.6

FortiClient: 7.0.8.0427

 

When I'm with my client on the subnet 10.45.134.0/24, I can ping and resolve all hostnames of my domain. But when I'm connected through my FortiClient VPN, I can still ping all IP's just fine, but I can't resolve and DNS names of my internal network. It's like it's not using the DNS on 10.1.8.16.

 

I have configured dns name for my FortiClient:

config vpn ipsec phase1-interface
(phase1-interface) edit <VPN TUNNEL NAME>
(VPN TUNNEL NAME) set domain abcd.local
(VPN TUNNEL NAME) end

 

I have tried to disable split-tunneling on the VPN connection, but still no luck.

 

I then tried to create a DNS Database on the Fortigate

Type: Secondary

View: Shadow

DNS Zone: abcd.local

Domain Name: abcd.local

IP or Primary: 10.1.8.16

And from the CLI I set the Source IP:

config system dns-database

edit "abcd.local"

set source-ip 10.45.134.1

end

But still I can't resolve abcd.local

 

Hope anyone here has an idea what to try next, or if I might have made a mistake while setting it up.

Labels:
12392
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to NHC

Created on ‎06-15-2023 05:34 AM

So basically the VPN configurations looks correct since they push the DNS server. The DNS server is reached and can resolve names (policies ok) but it looks like Windows refuse to use this as valid DNS server.
If you run only > nslookup fortinet.com , which DNS server does respond to the query?

Can you try with a different client, is there any hypervisor active on this PC?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

12267
0 Kudos
16 REPLIES 16
funkylicious
SuperUser
SuperUser

Created on ‎06-15-2023 04:48 AM

Hi,

Are you connecting to the FGT with FortiClient as a SSLVPN or a IPsec tunnel ?

"jack of all trades, master of none"
"jack of all trades, master of none"
10036
0 Kudos
NHC
New Contributor
In response to funkylicious

Created on ‎06-15-2023 04:50 AM

Hi
I'm connecting with the FortiClient as a IPsec VPN

10034
0 Kudos
funkylicious
SuperUser
SuperUser
In response to NHC

Created on ‎06-15-2023 04:55 AM

Please have a look at 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-multiple-DNS-server-for-IPSec-dial...

and 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-resolution-over-IPsec-SSL-VPN/ta-p/191...

"jack of all trades, master of none"
"jack of all trades, master of none"
10028
0 Kudos
NHC
New Contributor
In response to funkylicious

Created on ‎06-15-2023 05:14 AM

Hi

I do already use 10.1.8.16 as DNS for my Clients when they connect to the VPN, and as I wrote, I have also set the domain for the tunnel.

 

Here you see my ipSec setup for the Client VPN
clientvpn.png

10012
0 Kudos
ebilcari
Staff
Staff

Created on ‎06-15-2023 05:11 AM

Firstly check if the DNS server is shown in the end host interface "Fortinet SSL VPN Virtual Ethernet Adapter"

> ipconfig /all

if it is shown there try to ping it or do a nslookup to the server

> nslookup fortinet.com 10.1.8.16

 

If you don't get a response than check the policies if this traffic gets blocked

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
10016
0 Kudos
NHC
New Contributor
In response to ebilcari

Created on ‎06-15-2023 05:26 AM

Hi
I checked, and you will find results attached.

ipconfig /all

ipconfig.png

ping 10.1.8.16

ping.png

ping FQDN

ping-dns.png

nslookup

nslookup.png

9977
0 Kudos
ebilcari
Staff
Staff
In response to NHC

Created on ‎06-15-2023 05:34 AM

So basically the VPN configurations looks correct since they push the DNS server. The DNS server is reached and can resolve names (policies ok) but it looks like Windows refuse to use this as valid DNS server.
If you run only > nslookup fortinet.com , which DNS server does respond to the query?

Can you try with a different client, is there any hypervisor active on this PC?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
12268
0 Kudos
NHC
New Contributor
In response to ebilcari

Created on ‎06-15-2023 05:37 AM Edited on ‎06-15-2023 05:39 AM

Hmm, it looks like it is using the correct one?

nslookup.png

But even if I try to ping that DNS server on FQDN it fails

ping-dns.png

The Pc I'm testing from is running in Windows Sandbox. Will try to find another Pc I can install the client on.

9951
0 Kudos
ebilcari
Staff
Staff
In response to NHC

Created on ‎06-15-2023 05:42 AM

this is strange :)
Are you using the whole FQDN for that A entry, or just the part prior to the suffix?

what happens when you nslookup to that name?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
9941
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.