Configure DNS and WINS Servers for Mobile VPN with IKEv2

In Fireware v12.2.1 or higher, for DNS and WINS resolution on Mobile VPN with IKEv2 clients, you can:

DNS forwarding is not supported for mobile VPN clients.

For general information about how DNS works over a mobile VPN connection, see DNS and Mobile VPNs.

Assign the Network DNS Settings to Mobile Clients

In the Mobile VPN with IKEv2 configuration, you can specify that mobile clients should use the Network (global) DNS servers configured on your Firebox. This is the default option.

If you select this option, mobile clients receive the first two DNS servers and the first two WINS servers you specify in Fireware Web UI at Network > Interfaces > DNS/WINS or in Policy Manager at Network > Configuration > WINS/DNS. For example, if you specify the DNS server 10.0.2.53, mobile VPN clients use 10.0.2.53as a DNS server. Although you can specify up to three Network DNS servers, mobile VPN clients use only the first two in the list.

For mobile users to resolve internal domain names on your network, specify an internal DNS server first in the list. If you specify only a public DNS server, mobile users can resolve public domain names, but not internal domain names.

In Fireware v12.2 or lower, you cannot configure DNS and WINS settings in the Mobile VPN with IKEv2 configuration. Clients automatically receive the DNS and WINS servers specified in the Network (global) DNS/WINS settings on the Firebox. The domain name suffix is not inherited. Although you can specify up to three Network DNS servers, mobile VPN clients use only the first two in the list. For information about the Network DNS/WINS settings, see Configure Network DNS and WINS Servers.

Domain Name Suffix

In Fireware v12.9 or higher, the WatchGuard VPN client configuration files that you download from the Firebox can include a domain name suffix. Clients use the suffix to resolve local host names through the VPN.

In Fireware v12.9, for clients to inherit this suffix, you must:

  • Enter a Domain Name in the network (global) DNS settings on the Firebox.
  • In the Mobile VPN with IKEv2 configuration on the Firebox, select Assign the Network DNS/WINS settings to mobile clients.
  • Download and install the client configuration files on user devices.

For information about how to configure Mobile VPN with IKEv2 on the Firebox, see Edit the Mobile VPN with IKEv2 Configuration.

For information about VPN client configuration files, see Configure Client Devices for Mobile VPN with IKEv2.

In Fireware v12.8.x or lower, Mobile IKEv2 clients do not inherit a domain name suffix from the Firebox. To manually configure a domain name suffix in Windows, see Configure DNS server and suffix settings in IKEv2 and L2TP VPN clients in the WatchGuard Knowledge Base.

  1. Select Network > Interfaces.
    The Interfaces configuration page appears.

Screen shot of the Network Interfaces page, DNS Servers and WINS Servers section

  1. In the Domain Name text box, type the domain name suffix that IKEv2 VPN clients can use to resolve local host names through the VPN.
    In Fireware v12.9 or higher, the WatchGuard VPN client configuration files include this domain name suffix if you select Assign the Network DNS/WINS settings to mobile clients in the Mobile VPN with IKEv2 configuration.
  2. In the DNS Server or WINS Server text box, type the primary and secondary address for each DNS or WINS server.
  3. Click Add.
  4. (Optional) Repeat Steps 3–4 to specify up to three DNS servers.
  5. Click Save.

Next, configure DNS settings in the Mobile VPN with IKEv2 configuration. From Fireware Web UI v12.2.1 or higher:

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN IKEv2.
  2. In the IKEv2 section, click Configure.
    The Mobile VPN with IKEv2 configuration appears.
  3. (Fireware v12.2.1) Select VPN > Mobile VPN with IKEv2 > Configure.
    The Mobile VPN with IKEv2 configuration appears.

Screen shot of the Networking tab

  1. In the DNS Settings section, select Assign the network DNS/WINS settings to mobile clients.
  2. Click Save.
  1. Select Network > Configuration.
    The Network Configuration dialog box appears.
  2. Select the WINS/DNS tab.
    The information on the WINS/DNS tab appears.

Screen shot of the Network Configuration dialog box WINS/DNS tab

  1. In the Domain Name text box, type the domain name suffix that IKEv2 VPN clients can use to resolve local host names through the VPN.
    In Fireware v12.9 or higher, the WatchGuard VPN client configuration files include this domain name suffix if you select Assign the Network DNS/WINS settings to mobile clients in the Mobile VPN with IKEv2 configuration.
  2. In the DNS Servers text box, type the IPv4 or IPv6 address for each DNS server.
  3. Click Add.
  4. (Optional) Repeat Steps 4–5 to specify up to three DNS servers.
  5. (Optional) In the Domain Name text box, type a domain name that a DHCP client appends to unqualified host names.
  6. In the WINS Servers text boxes, type the primary and secondary IPv4 address of the WINS servers.
  7. Click OK.

Next, configure DNS settings in the Mobile VPN with IKEv2 configuration. From Policy Manager v12.2.1 or higher:

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN > Get Started.
  2. In the IKEv2 section, click Configure.
    The Mobile VPN with IKEv2 configuration appears.
  3. (Fireware v12.2.1) Select VPN > Mobile VPN > IKEv2 > Configure.

Screen shot of the Networking tab

  1. In the DNS Settings section, select one of these options:
  2. Click OK.

Assign DNS Settings From the Mobile VPN with IKEv2 Configuration to Mobile Clients

When you select the Assign these settings to mobile clients option, mobile clients use the DNS servers you specify in the Mobile VPN with IKEv2 configuration. For example, if you specify 10.0.2.53 as the DNS server, mobile clients use 10.0.2.53as the DNS server.

When you select this option, mobile clients do not use the servers specified in the Network DNS/WINS settings on the Firebox. For example, if you only specify a DNS server in the Mobile VPN with IKEv2 configuration, clients only receive that DNS server. In this scenario, if a WINS server and domain name are configured in the Network DNS settings, clients do not receive those settings.

You can specify up to two DNS server IP addresses and up to two WINS server IP addresses. You cannot specify a domain name suffix.

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN.
  2. In the IKEv2 section, click, Configure.
  3. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IKEv2.
  4. Select Configure.
  5. In the DNS Settings section, select Assign these settings to mobile clients.

Screen shot of the DNS Settings

  1. Click Save.
  1. Select VPN > Mobile VPN > IKEv2.
  2. In the DNS Settings section, select Assign these settings to mobile clients.

Screen shot of the DNS Settings

  1. Click OK.

Do Not Assign DNS or WINS Settings to Mobile VPN Clients

When you select the Do not assign DNS or WINS settings to mobile clients option, Mobile VPN with IKEv2 clients do not receive any DNS settings from the Firebox.

See Also

Mobile VPN with IKEv2

Edit the Mobile VPN with IKEv2 Configuration

Troubleshoot Mobile VPN with IKEv2