Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- DNS resolution with IPSEC VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS resolution with IPSEC VPN
Hi!
I am having some problem with the DNS resolution on our remote branch.
We have two fortigate 60B, connected via IPSEC VPN, with the DNS server in our office, remote branch could not ping our servers here via its name (ping MYSERVER --unable to resolve host).
FG60B-V3.0MR7 build 0750
Network is set up this way:
(Internal Interface- Head Office) 192.168.1.0 ---IPSEC VPN --- 192.168.2.0 (Internal Interface - Remote Office)
Remote Branch have two Internet Link, with policy route being configured.
Internal to WAN1 (where IPSECVPN is set-up: src:192.168.2.0/24 - dst:192.168.1.0/24
Internal to WAN2 (pure Internet traffic) src:192.168.2.0/24 - dst: 0.0.0.0/0.0.0.0
Already created policies on both devices, the Head office can ping network on 192.168.2.0 and also the remote office to 192.168.1.0 by using IP address.
Head office can ping the server by its name (MYSERVER) which is of the same network (192.168.1.0).
By the way, remote branch does not have DNS Server (few PCs) only and using the FG60B being set-up as their DNS Server on their PC. I have tried using the DNS Server on the head office for the remote branch but doesn' t work. Internet however is working fine on the remote branch.
What am I missing here or mistakes on my config? Any help is highly appreciated.
Thanks a lot!
--mix
Mix
Mix
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the Internet works, then your issue may be that you need to add your local DNS server to the remote FGT (if used as a DNS source).
Go to ' System > Network > Options' and change the DNS settings here.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already done that,primary DNS was the local DNS on Head office while secondary is public DNS given by ISP. Still, branch office could not resolve the server on the head office.. what i did was as a work around is to manually include on the lmhost names of the servers manually on each PC on the remote branch.
My problem now is that, the other internet connection in WAN 2 is down. and Fortigate can no longer resolve even google.com via console.
Already added the DNS given by ISP on System>Network>Options.
Checked " enable DNS forwarding from -internal-" .
I have experimented on checking/unchecking of " override internal DNS"
Also tried openDNS (208.67.222.222) but fortigate could not resolve any websites via console, thus the branches could not connect to the internet via WAN1.
WAN1 is PPPoE, alreay modified the policy route that all traffic will be via WAN1.
What am i missing here?
Thanks!
--mix
Mix
Mix
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, remote branch could not even ping any public IP,
except the public IP of our head office.
Weird thing is, IPSEC VPN via WAN1 is " UP" .
Mix
Mix
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I saw in router monitor is that I only define 1 static route, two has been shown. both for WAN2 and WAN1.
So I disable the WAN2 (administratively down), and now fortigate can ping and resolve any public ip..
But if I enable the WAN2 (problem would re-occur).
WAN2 is set-up as DHCP.
I dont want to disable WAN2, any help?
Mix
Mix
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see this pretty basic:
You set up an DHCP server for your LAN hosts. You add as primary DNS server the server from the other VPN' s end, and as secondary DNS - what you want, a public DNS.
When tunnel is UP, your DNS query and Internet works; tunnel down, primary DNS is not available so all stations use the second DNS.
This way you will not mess anything on FG DNS config. Just play it from DHCP.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Labels
-
FortiGate
10,794 -
FortiClient
2,209 -
FortiManager
905 -
FortiAnalyzer
689 -
5.2
687 -
5.4
638 -
FortiSwitch
596 -
FortiClient EMS
580 -
FortiAP
568 -
IPsec
444 -
6.0
416 -
SSL-VPN
393 -
FortiMail
380 -
5.6
362 -
FortiNAC
297 -
FortiWeb
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
205 -
FortiAuthenticator
186 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
118 -
FortiToken
115 -
FortiSIEM
114 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
93 -
Customer Service
88 -
FortiProxy
79 -
SAML
78 -
ZTNA
78 -
Routing
77 -
Fortivoice
73 -
BGP
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
64 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
56 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
45 -
FortiDNS
43 -
Logging
42 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Fortigate Cloud
26 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2707 | |
| 1416 | |
| 810 | |
| 716 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.