Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mix_novice
New Contributor

DNS resolution with IPSEC VPN

Hi! I am having some problem with the DNS resolution on our remote branch. We have two fortigate 60B, connected via IPSEC VPN, with the DNS server in our office, remote branch could not ping our servers here via its name (ping MYSERVER --unable to resolve host). FG60B-V3.0MR7 build 0750 Network is set up this way: (Internal Interface- Head Office) 192.168.1.0 ---IPSEC VPN --- 192.168.2.0 (Internal Interface - Remote Office) Remote Branch have two Internet Link, with policy route being configured. Internal to WAN1 (where IPSECVPN is set-up: src:192.168.2.0/24 - dst:192.168.1.0/24 Internal to WAN2 (pure Internet traffic) src:192.168.2.0/24 - dst: 0.0.0.0/0.0.0.0 Already created policies on both devices, the Head office can ping network on 192.168.2.0 and also the remote office to 192.168.1.0 by using IP address. Head office can ping the server by its name (MYSERVER) which is of the same network (192.168.1.0). By the way, remote branch does not have DNS Server (few PCs) only and using the FG60B being set-up as their DNS Server on their PC. I have tried using the DNS Server on the head office for the remote branch but doesn' t work. Internet however is working fine on the remote branch. What am I missing here or mistakes on my config? Any help is highly appreciated. Thanks a lot! --mix
5 REPLIES 5
rwpatterson
Valued Contributor III

If the Internet works, then your issue may be that you need to add your local DNS server to the remote FGT (if used as a DNS source). Go to ' System > Network > Options' and change the DNS settings here.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
mix_novice
New Contributor

Already done that,primary DNS was the local DNS on Head office while secondary is public DNS given by ISP. Still, branch office could not resolve the server on the head office.. what i did was as a work around is to manually include on the lmhost names of the servers manually on each PC on the remote branch. My problem now is that, the other internet connection in WAN 2 is down. and Fortigate can no longer resolve even google.com via console. Already added the DNS given by ISP on System>Network>Options. Checked " enable DNS forwarding from -internal-" . I have experimented on checking/unchecking of " override internal DNS" Also tried openDNS (208.67.222.222) but fortigate could not resolve any websites via console, thus the branches could not connect to the internet via WAN1. WAN1 is PPPoE, alreay modified the policy route that all traffic will be via WAN1. What am i missing here? Thanks! --mix
mix_novice
New Contributor

By the way, remote branch could not even ping any public IP, except the public IP of our head office. Weird thing is, IPSEC VPN via WAN1 is " UP" .
mix_novice
New Contributor

What I saw in router monitor is that I only define 1 static route, two has been shown. both for WAN2 and WAN1. So I disable the WAN2 (administratively down), and now fortigate can ping and resolve any public ip.. But if I enable the WAN2 (problem would re-occur). WAN2 is set-up as DHCP. I dont want to disable WAN2, any help?
laf
New Contributor II

I see this pretty basic: You set up an DHCP server for your LAN hosts. You add as primary DNS server the server from the other VPN' s end, and as secondary DNS - what you want, a public DNS. When tunnel is UP, your DNS query and Internet works; tunnel down, primary DNS is not available so all stations use the second DNS. This way you will not mess anything on FG DNS config. Just play it from DHCP.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors