- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- DNS resolution with IPSEC VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS resolution with IPSEC VPN
Hi!
I am having some problem with the DNS resolution on our remote branch.
We have two fortigate 60B, connected via IPSEC VPN, with the DNS server in our office, remote branch could not ping our servers here via its name (ping MYSERVER --unable to resolve host).
FG60B-V3.0MR7 build 0750
Network is set up this way:
(Internal Interface- Head Office) 192.168.1.0 ---IPSEC VPN --- 192.168.2.0 (Internal Interface - Remote Office)
Remote Branch have two Internet Link, with policy route being configured.
Internal to WAN1 (where IPSECVPN is set-up: src:192.168.2.0/24 - dst:192.168.1.0/24
Internal to WAN2 (pure Internet traffic) src:192.168.2.0/24 - dst: 0.0.0.0/0.0.0.0
Already created policies on both devices, the Head office can ping network on 192.168.2.0 and also the remote office to 192.168.1.0 by using IP address.
Head office can ping the server by its name (MYSERVER) which is of the same network (192.168.1.0).
By the way, remote branch does not have DNS Server (few PCs) only and using the FG60B being set-up as their DNS Server on their PC. I have tried using the DNS Server on the head office for the remote branch but doesn' t work. Internet however is working fine on the remote branch.
What am I missing here or mistakes on my config? Any help is highly appreciated.
Thanks a lot!
--mix
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the Internet works, then your issue may be that you need to add your local DNS server to the remote FGT (if used as a DNS source).
Go to ' System > Network > Options' and change the DNS settings here.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already done that,primary DNS was the local DNS on Head office while secondary is public DNS given by ISP. Still, branch office could not resolve the server on the head office.. what i did was as a work around is to manually include on the lmhost names of the servers manually on each PC on the remote branch.
My problem now is that, the other internet connection in WAN 2 is down. and Fortigate can no longer resolve even google.com via console.
Already added the DNS given by ISP on System>Network>Options.
Checked " enable DNS forwarding from -internal-" .
I have experimented on checking/unchecking of " override internal DNS"
Also tried openDNS (208.67.222.222) but fortigate could not resolve any websites via console, thus the branches could not connect to the internet via WAN1.
WAN1 is PPPoE, alreay modified the policy route that all traffic will be via WAN1.
What am i missing here?
Thanks!
--mix
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, remote branch could not even ping any public IP,
except the public IP of our head office.
Weird thing is, IPSEC VPN via WAN1 is " UP" .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I saw in router monitor is that I only define 1 static route, two has been shown. both for WAN2 and WAN1.
So I disable the WAN2 (administratively down), and now fortigate can ping and resolve any public ip..
But if I enable the WAN2 (problem would re-occur).
WAN2 is set-up as DHCP.
I dont want to disable WAN2, any help?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see this pretty basic:
You set up an DHCP server for your LAN hosts. You add as primary DNS server the server from the other VPN' s end, and as secondary DNS - what you want, a public DNS.
When tunnel is UP, your DNS query and Internet works; tunnel down, primary DNS is not available so all stations use the second DNS.
This way you will not mess anything on FG DNS config. Just play it from DHCP.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Route LAN over VTI interface over... 109 Views
- IPsec Tunnel is up but can... 116 Views
- VPN IPSEC Dialup Connection IKE v2 236 Views
- VPN IPSec between private peers ip 141 Views
- Two Ipsec Tunnels for Fortigate 256 Views
Labels
-
FortiGate
7,214 -
FortiClient
1,423 -
5.2
801 -
5.4
639 -
FortiManager
623 -
FortiAnalyzer
463 -
6.0
416 -
FortiAP
378 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
282 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
178 -
FortiNAC
129 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
110 -
FortiGateCloud
97 -
FortiSIEM
95 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiExtender
35 -
FortiSandbox
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
VLAN
32 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
FortiConverter
23 -
LDAP
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
20 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
RADIUS
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
NAT
14 -
FortiDDoS
14 -
Logging
14 -
SSL SSH inspection
13 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Virtual IP
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
IP address management - IPAM
9 -
FortiManager v5.0
9 -
OSPF
9 -
4.0MR2
9 -
WAN optimization
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
Proxy policy
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Web application firewall profile
7 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
Port policy
5 -
Antivirus profile
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiTester
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Traffic shaping profile
4 -
FortiPAM
4 -
Fortinet Engage Partner Program
4 -
FortiCarrier
4 -
3.6
4 -
FortiScan
4 -
DLP sensor
4 -
DoS policy
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiNDR
2 -
FortiAI
2 -
FortiHypervisor
2 -
Schedule
2 -
Authentication rule and scheme
2 -
Explicit proxy
2 -
Internet Service Database
2 -
VoIP profile
2 -
4.0MR1
1 -
File filter
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Zone
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1084 | |
| 892 | |
| 535 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.