I'm trying to use IPsec VPN to connect and access to http://xxxserver:8121/Login.aspx . For Windows, I'm able to resolve the DNS resolution problem by adding 192.168.1.xx xxxserver to hosts file. But for mobile, I'm able to connect to IPsec VPN, but when I try to access to the system, it show This site can't be reached - DNS_PROBE_FINISHED_NXDOMAIN error. How can I solve it ? I cant simply add the server and server ip in hosts file like window for mobile phone.
Hi @pxiannie ,
Have you configured the DNS domain under the phase1-interface settings of your IPsec VPN? You may refer to the link below for further troubleshooting.
Ref : https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-DNS-suffix-for-VPN-SSL-and-IPse...
Hi @pdelapena ,
What if I dont have domain? This is my dns and ipsec interface
Regards,
Xian
Dear Xian,
Do you have internal/Private DNS Server on your network that can resolve " http://xxxserver:8121/Login.aspx"?
If yes, you can set the DNS server on IPSEC Dialup tunnel configuration.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-multiple-DNS-server-for-IPSec-dial...
Created on 06-05-2024 08:59 PM Edited on 06-05-2024 09:12 PM
Hi @adimailig ,
After I set the dns server on IPSEC Dialup tunnel configuration, the site still can't be reached in mobile, but the error change from DNS_PROBE_FINISHED_NXDOMAIN to ERR_NAME_NOT_RESOLVED. I can ping server ip address in fortigate CLI command, but when I execute ping xxxxserver it show Unable to resolve hostname. After I create a DNS Servers, it can ping the ip with command execute ping xxxxserver.local but I think should be only xxxxserver. The domain cant just leave it empty so I add .local when create DNS Entries.
Here is my current settings.
XXXX-FGT40F (phase1-interface) # show
config vpn ipsec phase1-interface
edit "XXXX-VPN"
set type dynamic
set interface "TM_Unifi_VL500"
set mode aggressive
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 X.X.8.188
set ipv4-dns-server2 X.X.1.9
set ipv4-dns-server3 8.8.8.8 (if put 122.254.2.1 still show error DNS_PROBE_FINISHED_NXDOMAIN)
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: XXXX-VPN (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "Employees"
set ipv4-start-ip 10.10.10.1
set ipv4-end-ip 10.10.10.254
set save-password enable
set psksecret ENC XXXXXXXG3g==
next
end
config system interface
edit "XXX-VPN"
set vdom "root"
set ip 122.254.2.1 255.255.255.255
set allowaccess ping https http fabric
set type tunnel
set remote-ip 122.254.2.1 255.255.255.255
set snmp-index 15
set interface "TM_Unifi_VL500"
next
config system dns-database
edit "local"
set domain "local"
config dns-entry
edit 1
set hostname "xxxxserver"
set ip 192.168.1.20
next
end
set primary-name "xxxxdns"
set contact "admin"
next
end
Regards,
Xian
Hi @adimailig ,
I'm using public DNS server for my system server. Is it must use private dns server?
Regards,
Xian
Hi @pxiannie ,
If you do not have an internal DNS server, you can configure DNS service in your Dial-Up tunnel interface and set it to 'Recursive' mode. Next, add a DNS zone and DNS entry for the mapping of server hostname to IP address.
Ref : https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/960561/fortigate-dns-server
Then, take note of the IP address of your dial-up tunnel in FortiGate and configure this IP as a DNS server in the phase1-interface settings.
config vpn ipsec phase1-interface
edit <name>
set ipv4-dns-server1 <dial-up tunnel interface IP address>
end
Regards,
Created on 06-05-2024 09:06 PM Edited on 06-05-2024 09:13 PM
Hi @pdelapena,
I ady set up the DNS servers, the site still can't be reached in mobile, but the error change from DNS_PROBE_FINISHED_NXDOMAIN to ERR_NAME_NOT_RESOLVED. Is there anything set wrongly?
config system dns-database
edit "local"
set domain "local"
config dns-entry
edit 1
set hostname "xxxxserver"
set ip 192.168.1.20
next
end
set primary-name "xxxxdns"
set contact "admin"
next
end
config vpn ipsec phase1-interface
edit "XXXX-VPN"
set type dynamic
set interface "TM_Unifi_VL500"
set mode aggressive
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 X.X.8.188
set ipv4-dns-server2 X.X.1.9
set ipv4-dns-server3 8.8.8.8 (if put 122.254.2.1 still show error DNS_PROBE_FINISHED_NXDOMAIN)
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: XXXX-VPN (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "Employees"
set ipv4-start-ip 10.10.10.1
set ipv4-end-ip 10.10.10.254
set save-password enable
set psksecret ENC XXXXXXXG3g==
next
end
config system interface
edit "XXX-VPN"
set vdom "root"
set ip 122.254.2.1 255.255.255.255
set allowaccess ping https http fabric
set type tunnel
set remote-ip 122.254.2.1 255.255.255.255
set snmp-index 15
set interface "TM_Unifi_VL500"
next
Regards,
Xian
Hi @pxiannie ,
You may have to append the ".local" in order for it to get resolved by the DNS server.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.