Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pxiannie
New Contributor III

How to solve DNS resolution in android and iOS mobile using IPsec VPN?

I'm trying to use IPsec VPN to connect and access to http://xxxserver:8121/Login.aspx . For Windows, I'm able to resolve the DNS resolution problem by adding 192.168.1.xx xxxserver to hosts file. But for mobile, I'm able to connect to IPsec VPN, but when I try to access to the system, it show This site can't be reached - DNS_PROBE_FINISHED_NXDOMAIN error. How can I solve it ? I cant simply add the server and server ip in hosts file like window for mobile phone.

FortiClient FortiGate 

8 REPLIES 8
pdelapena
Staff
Staff

Hi @pxiannie ,

Have you configured the DNS domain under the phase1-interface settings of your IPsec VPN? You may refer to the link below for further troubleshooting.

Ref : https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-DNS-suffix-for-VPN-SSL-and-IPse...

Paulo Dela Pena
pxiannie
New Contributor III

Hi @pdelapena ,

What if I dont have domain? This is my dns and ipsec interface

dns.png
ipsec vpn.png

Regards,
Xian




adimailig

Dear Xian,

Do you have internal/Private DNS Server on your network that can resolve " http://xxxserver:8121/Login.aspx"?
If yes, you can set the DNS server on IPSEC Dialup tunnel configuration.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-multiple-DNS-server-for-IPSec-dial...

Best Regards,

Arnold Dimailig
TAC Engineer
pxiannie
New Contributor III

Hi @adimailig , 

After I set the dns server on IPSEC Dialup tunnel configuration, the site still can't be reached in mobile, but the error change from DNS_PROBE_FINISHED_NXDOMAIN to ERR_NAME_NOT_RESOLVED. I can ping server ip address in fortigate CLI command, but when I execute ping xxxxserver it show Unable to resolve hostname. After I create a DNS Servers, it can ping the ip with command execute ping xxxxserver.local but I think should be only xxxxserver. The domain cant just leave it empty so I add .local when create DNS Entries.

Here is my current settings.

XXXX-FGT40F (phase1-interface) # show
config vpn ipsec phase1-interface
edit "XXXX-VPN"
set type dynamic
set interface "TM_Unifi_VL500"
set mode aggressive
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 X.X.8.188
set ipv4-dns-server2 X.X.1.9
set ipv4-dns-server3 8.8.8.8 (if put 122.254.2.1 still show error DNS_PROBE_FINISHED_NXDOMAIN)
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: XXXX-VPN (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "Employees"
set ipv4-start-ip 10.10.10.1
set ipv4-end-ip 10.10.10.254
set save-password enable
set psksecret ENC XXXXXXXG3g==
next
end

config system interface
edit "XXX-VPN"
set vdom "root"
set ip 122.254.2.1 255.255.255.255
set allowaccess ping https http fabric
set type tunnel
set remote-ip 122.254.2.1 255.255.255.255
set snmp-index 15
set interface "TM_Unifi_VL500"
next

config system dns-database
edit "local"
set domain "local"
config dns-entry
edit 1
set hostname "xxxxserver"
set ip 192.168.1.20
next
end
set primary-name "xxxxdns"
set contact "admin"
next
end

dns sett.png

Regards,
Xian

pxiannie
New Contributor III

Hi @adimailig ,

I'm using public DNS server for my system server. Is it must use private dns server?

Regards,
Xian

pdelapena

Hi @pxiannie ,

If you do not have an internal DNS server, you can configure DNS service in your Dial-Up tunnel interface and set it to 'Recursive' mode. Next, add a DNS zone and DNS entry for the mapping of server hostname to IP address. 

Ref : https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/960561/fortigate-dns-server

Then, take note of the IP address of your dial-up tunnel in FortiGate and configure this IP as a DNS server in the phase1-interface settings.

config vpn ipsec phase1-interface
edit <name>
set ipv4-dns-server1 <dial-up tunnel interface IP address>
end

Regards,

Paulo Dela Pena
pxiannie
New Contributor III

Hi @pdelapena,

I ady set up the DNS servers, the site still can't be reached in mobile, but the error change from DNS_PROBE_FINISHED_NXDOMAIN to ERR_NAME_NOT_RESOLVED. Is there anything set wrongly?

config system dns-database
edit "local"
set domain "local"
config dns-entry
edit 1
set hostname "xxxxserver"
set ip 192.168.1.20
next
end
set primary-name "xxxxdns"
set contact "admin"
next
end

config vpn ipsec phase1-interface
edit "XXXX-VPN"
set type dynamic
set interface "TM_Unifi_VL500"
set mode aggressive
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 X.X.8.188
set ipv4-dns-server2 X.X.1.9
set ipv4-dns-server3 8.8.8.8 (if put 122.254.2.1 still show error DNS_PROBE_FINISHED_NXDOMAIN)
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: XXXX-VPN (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "Employees"
set ipv4-start-ip 10.10.10.1
set ipv4-end-ip 10.10.10.254
set save-password enable
set psksecret ENC XXXXXXXG3g==
next
end

config system interface
edit "XXX-VPN"
set vdom "root"
set ip 122.254.2.1 255.255.255.255
set allowaccess ping https http fabric
set type tunnel
set remote-ip 122.254.2.1 255.255.255.255
set snmp-index 15
set interface "TM_Unifi_VL500"
next

dns sett.png

Regards,
Xian

pdelapena

Hi @pxiannie ,

You may have to append the ".local" in order for it to get resolved by the DNS server.

Regards,

Paulo Dela Pena
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors