I have a FortiGate 60D v6.0.0 build 0076 (GA)
interface v31 192.168.31.1/24
I have DNS configured
config system dns-server
edit "v31"
next
edit "OSPF"
next
edit "ssl.root"
next
end
(These are all set to recursive not sure why it doesn't show up in the config)
config system dns-database
edit "Townhouse"
set domain "th.harr.io"
set source-ip 192.168.31.1
config dns-entry
edit 1
set hostname "CLP-325W"
set ip 192.168.31.49
next
....
end
set primary-name "fw.th.harr.io"
set contact "REMOVED"
next
edit "haven2.local"
set domain "haven2.local"
set authoritative disable
set forwarder "192.168.1.1"
set source-ip 192.168.31.1
next
end
It works from the v31 interface, the ospf interface and the ssl interface. However, I have an IPSEC tunnel (In policy Mode) that I can not get the remote side to be able to use the dns server. The policy is wide open
config firewall policy
edit 8
set name "IPSEC to H2"
set uuid c5b4e622-67a8-51e8-f7ef-f1a2eec092f6
set srcintf "v31"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "192.168.0.0 [DMZ_H2]" "192.168.1.0 [INTERNAL_H2]"
set action ipsec
set schedule "always"
set service "ALL"
set logtraffic all
set inbound enable
set vpntunnel "h2"
next
end
Is there a way to allow the remote side (192.168.0.0/24 and 192.168.1.0/24) to be able to access the fortigate dns server on 192.168.31.1? The remote side is set to forward however, even a simple nslookup fw.th.harr.io 192.168.31.1 on the remote side fails. I also can not use IPSEC in interface mode as the remote side does not support it.
Ended up converting the IPSEC tunnel to Interface mode. Added the interface to the dns-server list and now everything works. Not sure how to get it to work in policy mode as there is no interface to add to the dns-server config.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1063 | |
889 | |
527 | |
441 | |
152 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.