USG Flex 700 / VPN

Hello,

I have some questions about VPN connections on a USG Flex 700, in "on premise" configuration.

The USG is connected to a distant site by an IPsec tunnel with VTI configuration (and static routes). On LAN, we have some VLAN, and only one (VLAN20) must access the distant network through the tunnel. The distant servers must be joined too by DNS names. The DNS distributed on VLAN20's DHCP is the Zywall.

About DNS : On the router, in configuration → system → DNS and in the "Domain Zone Forward" I have written the two DNS servers on the distant network, but when I try to ping a server from VLAN20 with his name that doesn't work. If I setup the DNS with the adress of the distant servers, no problem (and tried on a PC with "host" file, works too), but for me It's not a good way to manage It.

About VPN : We have to setup mobile VPN on the Flex 700, but the clients on this VPN must access the distant network over the IPSEC VTI tunnel. For the moment that doesn't work but I think because on the distant router (which I don't manage) there isn't a static route for the subnet used by the mobile VPN, to make back route working. But I'm asking myself if there is a particular configuration for connexion between VPN ? I have another interrogation about that : the SSL VPN give addresses to clients on a subnet but L2TP over IPsec give addresses on a range. Will It work in the same way, no matter the mobile VPN solution chosen ? Usually I use SSL VPN but my customer use Apple Mac and It seems to me the SSL VPN Mac software is not free unlike PC software.

About Nebula : I know there is no SSL VPN available on Nebula, so If the L2TP over IPsec must be used, is it better to do it on premise or Nebula mode ?

Thanks a lot :D

Regards