topic Re: VPN - DNS Lookup in Firewall and Security Management

VPN - DNS Lookup

carlos_luz — Sun, 02 Jul 2023 12:48:35 GMT

VPN - DNS Lookup

I have a costumer and in your enverioment, he has one SDWAN before the gatewy with 2 ISP (with to FQDN VPN). In the gateway i have only one external interface with private IP.

Exempla:

vpn.xpto.com vpn2.xpto.com

IPS1 ISP2

SDWAN

PrivateIP

Gateway

Internal Network

Then i needed to put both FQDN to work and so many test, i could after change some options option in GuiDBedit and VPN Selection. And one determinate order:

First i changed in VPN Settings > Link Selection > "Source IP address settings...", i select "IP address of chosen interface":

After i changed in VPN Settings > Link Selection > "Outgoing Route Selection" and "Setup", i select "IP address of chosen interface":

And the last changed i open GuiDGedit, set option "dnsLookup" in both field "ip_resolution_mechanism" and "ip_resolution_mechanism_GW" (theses fields are in "Network Objects" > Object Gateway.

After theses changed, the VPN work fine and stable, but i found some bugs in interface, automaticly the option "Use Dns resolving" is checked and when i open the option"Link Selection" , the interface ask about one value, case i ignore this popup, the VPN continuos work fine, but alwauys i open this option alert about the problem.

How this case, i have others cases where the config work, but i didn't find any documentation, one example is option "Calculate IP based on network topology" in Link Selection, this option permit balancing VPN over multi links, and this option has a poor documentation.

Sorry for the English, but I'm training to improve, the environment is in version R81.10 take 66. The prints for the post I took inside Demopoint in version R81.20, I can't validate if this function works well in other versions.

This post is for information purposes only and not to complain or help, I am available in case of doubt.

Carlos Luz
CCSA, CCSE, CCTE

Re: VPN - DNS Lookup

PhoneBoy — Mon, 03 Jul 2023 19:40:24 GMT

I believe Calculate IP Based on Network Topology will use the interface that is "closest" to the remote endpoint.
This is likely a combination of the device routing table and the topology information configured for the remote gateway.

For what it's worth, in R82, we are expecting to simplify all this.

Re: VPN - DNS Lookup

carlos_luz — Tue, 04 Jul 2023 04:13:50 GMT

Hello PhoneBoy, yes, with Caculate option i can use routes to chose the interface and IP interface what i use in VPN.

But we dont have any documentation about this or cases of use.

Re: VPN - DNS Lookup

PhoneBoy — Wed, 05 Jul 2023 13:54:09 GMT

All of the options here control what IP address is used to initiate a VPN with a remote peer.
Unless the peer is accessible via an internal interface, "Calculate IP based on network topology" will generally result in the external (cluster) IP being used.
This is the default setting.

Note the settings here apply to ALL VPN peers.
If you have multiple VPN peers that each require a different IP to be used for different peers, then you will need to use one of the options.

As I stated previously, we are planning to revamp these options in R82 to simplify things.