https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159951#M7601 <P>Good morning,</P><P>I have two checkpoint 750 and 730 devices connected to each other using VPN S2S.</P><P>IP traffic using VPN works without problem. I can access devices on the LAN from either side.</P><P>From the CP750 side, I have an Exchange Server 2019 ST server.</P><P>When Outlook is on the LAN, the CP730 cannot connect to Exchange Server 2019 because it does not send DNS queries via VPN.</P><P>How to configure the CP 750 and 730 for DNS queries to be sent over the S2S VPN tunnel.</P> Wed, 19 Oct 2022 12:27:31 GMT luk89as 2022-10-19T12:27:31Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159951#M7601 <P>Good morning,</P><P>I have two checkpoint 750 and 730 devices connected to each other using VPN S2S.</P><P>IP traffic using VPN works without problem. I can access devices on the LAN from either side.</P><P>From the CP750 side, I have an Exchange Server 2019 ST server.</P><P>When Outlook is on the LAN, the CP730 cannot connect to Exchange Server 2019 because it does not send DNS queries via VPN.</P><P>How to configure the CP 750 and 730 for DNS queries to be sent over the S2S VPN tunnel.</P> Wed, 19 Oct 2022 12:27:31 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159951#M7601 luk89as 2022-10-19T12:27:31Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159952#M7602 <P>There is an advanced setting which if enabled will provide the behaviour as your describing.</P> <P>&nbsp;"Do not encrypt local DNS requests"</P> <P>Worth checking before exploring elsewhere.</P> Wed, 19 Oct 2022 12:41:27 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159952#M7602 Chris_Atkinson 2022-10-19T12:41:27Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159955#M7603 <P>In the advanced settings, I have set the following options:</P><P>Global VPN Site to Site settings - do not encrypt local DNS requests - TRUE</P><P>I set the setting as always about CP730 and CP 750.</P><P>Even so, I still don't have DNS traffic over the S2S VPN. You can see in the logs that it is encrypted.</P> Wed, 19 Oct 2022 13:06:58 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159955#M7603 luk89as 2022-10-19T13:06:58Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159957#M7604 <P>The other advanced option that may apply is:</P> <P>"Do not encrypt connections originating from the local gateway"</P> <P>Failing this if all other VPN parameters check out and you're on the latest build of R77.20.87 I would discuss it further with TAC.</P> Wed, 19 Oct 2022 13:54:34 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159957#M7604 Chris_Atkinson 2022-10-19T13:54:34Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159965#M7606 <P>In each of the configuration pages, for these two settings to be set to TRUE.</P><P>Screen in the appendix.</P><P>I don't know if it matters, but the S2S VPN connection is made using certificates.</P><P>Even though you select the option that it does not encrypt DNS traffic it does otherwise.</P><P>The log shows that traffic from the CP730 LAN is blocked on the CP 750 side.</P><P>Maybe a rule in the firewall needs to be created?</P> Wed, 19 Oct 2022 13:37:03 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159965#M7606 luk89as 2022-10-19T13:37:03Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159967#M7607 <P>Are both centrally managed? If so, check option in global properties "accept domain name over..."</P> Wed, 19 Oct 2022 13:44:27 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/159967#M7607 the_rock 2022-10-19T13:44:27Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/160023#M7610 <P><BR />I started unencrypted DNS traffic over VPN.</P><P>In the S2S VPN settings I checked the option: "Allow traffic to the internet from remote site through this gateway."</P><P>I applied the setting to both Checkpoint devices.</P> Thu, 20 Oct 2022 06:24:44 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/160023#M7610 luk89as 2022-10-20T06:24:44Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/160088#M7619 <P>Do Not Encrypt Local DNS Requests of TRUE means that DNS requests won't be encrypted (sent over VPN).<BR />What happens when you make it FALSE?</P> Thu, 20 Oct 2022 19:40:41 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DNS-traffic-using-S2S-VPN-is-not-working/m-p/160088#M7619 PhoneBoy 2022-10-20T19:40:41Z