IKEv2 MacOS split DNS

JvLeur · ‎12-11-2025

Hi,

When a non Forticlient MacOS user connects to IKEv2 IPSec they have issues with split tunnel DNS.
DNS queries are only using the tunnel when using dig and implicitly querying a specific DNS server.
This causes issues with other traffic.

dig quanza-eun-ufg71.q @172.28.8.53 ~
;; QUESTION SECTION:
;quanza-eun-ufg71.q. IN A

;; ANSWER SECTION:
quanza-eun-ufg71.q. 86401 IN A 172.28.8.139

;; SERVER: 172.28.8.53#53(172.28.8.53)

With IPSec tunnel

ping quanza-eun-ufg71.q
ping: cannot resolve quanza-eun-ufg71.q: Unknown host

dig quanza-eun-ufg71.q
;; QUESTION SECTION:
;quanza-eun-ufg71.q. IN A

;; SERVER: 172.20.10.1#53(172.20.10.1)

I have checked the debug of the IPSec tunnel initiation and do not see an obvious difference.
Both Forticlient and Non-Forticlient connections acquire the DNS servers in the mode-cfg.

This issue does not occur with IKEv1

funkylicious · ‎12-11-2025

hi,

when connecting to IPsec you need to confirm that the DNS servers are installed/propagated into the local DNS file/server /etc/resolv.conf and overwrites the existing ones or at least append them to the existing ones ?

if not, i would start from there and see in the logs of the system.

L.E. if you can, post a sanitized config of the IPsec VPN IKEv2 and I will try to replicate it in my lab and my MacOS machine.

"jack of all trades, master of none"

JvLeur · ‎12-11-2025

Hi,

Thank you for your quick response.
The resolv.conf contains both DNS servers with a Forticlient but not with the native.

I will check the logs.

forticlient
jeroenvl:log/ $ cat /etc/resolv.conf [13:04:08]
search q
nameserver 172.28.8.53
nameserver 172.28.9.53

native

jeroenvl:log/ $ cat /etc/resolv.conf [13:12:45]
nameserver 172.20.10.1

Regarding the configuration, it is quite plain but here it is (sanitized).

config vpn ipsec phase1-interface
edit "QDIPS"
set type dynamic
set interface "VLAN709_OUTSIDE"
set ike-version 2
set keylife 28800
set peertype one
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 172.28.8.53
set ipv4-dns-server2 172.28.9.53
set proposal aes256-sha512 aes256-sha384 aes256-sha256
set dpd on-idle
set comments "Quanza Engineers & NOC Dialup VPN"
set dhgrp 20 19
set eap enable
set eap-identity send-request
set authusrgrp "QUANZA_EMPLOYEES"
set peerid "QDIPS"
set ipv4-start-ip 172.28.12.1
set ipv4-end-ip 172.28.12.127
set ipv4-netmask 255.255.255.128
set ipv4-split-include "QUANZA_ENGINEERS_ACCESSIBLE_LANS_VIA_IPSEC_VPN"
set psksecret ENC <omitted>
set dpd-retryinterval 60
next

config vpn ipsec phase2-interface
edit "QDIPS"
set phase1name "QDIPS"
set proposal aes256-sha512 aes256-sha384 aes256-sha256
set dhgrp 20
set keepalive enable
set keylifeseconds 3600
next

Please let me know if you need more information.

Best Regards,

Jeroen

funkylicious · ‎12-11-2025

i followed this guide, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Apple-IOS-native-VPN-using-IKEv2-connectio... and for me it works just fine ( i added my custom DNS server manually which is not in the guide ) .

i can see the DNS server in /etc/resolv.conf ( just it alone when I connect and the default after disconnect ) and in System settings in the VPN profile in the DNS servers upon connection.

"jack of all trades, master of none"

JvLeur · ‎12-11-2025

What do you mean with manually? Where did you add it?
The configuration is similar to mine.

funkylicious · ‎12-11-2025

meaning in the guide the dns is set to auto which if i'm not mistaken refers to the setting Use system DNS in mode config, but this setting would of pushed the DNS servers from the FGT ( which are public ones ) and which i didnt want.

config vpn ipsec phase1-interface
    edit "APPLE"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.200.201
        set proposal aes128-sha256 aes256-sha256
        set localid "APPLE-VPN"
        set negotiate-timeout 300
        set dpd on-idle
        set dhgrp 14
        set eap enable
        set eap-identity send-request
        set ipv4-start-ip 100.64.255.10
        set ipv4-end-ip 100.64.255.20
        set ipv4-split-include "LAN"
        set psksecret PSK
        set dpd-retryinterval 60
    next
end

"jack of all trades, master of none"

JvLeur · ‎12-11-2025

Understand, as you can see in my sanitized configuration, I had dns-mode set to manual and the dns servers were added.
However, they do not appear in my resolv.conf.

With my IKEv1 setup they are not added either but I don't have the same with IKEv1.

IKEv1 resolv.conf

~ cat /etc/resolv.conf
search q
nameserver 172.20.10.1

funkylicious · ‎12-11-2025

i would troubleshoot this at the OS level in the logs since FortiClient isnt used, so its system related.

i am running macOS 15.7.2 on my laptop.

"jack of all trades, master of none"

JvLeur · ‎12-11-2025

I will troubleshoot at system level. Thank you. The same MacOS version is running on my laptop.

IKEv2 MacOS split DNS

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website