Re: dns request not passing on s2s vpn

Thecoder · ‎2018-07-05

Hello

i configured s2s vpn between checkpoint(R80.10) and sophos xg firewall. sophos behind networks can access to our networks.but dns request not running. sophos network can ping to the dns server. bunt not resolve name. i took some dumps.and i saw that sophos sent DNS request and checkpoint took Dns request and sent to the dns server and Dns server answered to the request.and checkpoint sent dns answer to the sophos. but i can not see the dns answer with tcpdump on sophos. when i checked logs,i saw these logs:

Houssameddine_1 · ‎2018-07-05

Based on your TCP dump your dns traffic is leaving in the clear and not passing through the vpn tunnel. I think need to configure the DNS implied rules in global properties to be set to last or before last (Any Traffic matches implied rules will not be encrypted) and make sure you have a configure rule in the policy to allow DNS

The log that you attached doesn't give me much information because it don't see which protocol or ports, it means you have key management issue and the checkpoint tried to encrypt packet but it doesn't have key for it. You need to run vpnd and ike debug to see which side is deleting the keys and make sure that the encrytion domains are configured correctly on both sides.

Thanks

Thecoder · ‎2018-07-06

i am attaching log screen again.i have already enabled "Accept domain name over udp".but nothing changed.

how can i understand that traffic entered to the vpn tunnel with tcpdump? what i must see in log screen?

PhoneBoy · ‎2018-07-06

Start here: Troubleshooting "No valid SA" error

Houssameddine_1 · ‎2018-07-06

It seems key management issue. for some reason the peer sending traffic using a key that is no longer exists on checkpoint gateway.

You might need a TAC ticket. Double check the encryption domains on both sides and try IKEV1 to make troubleshooting easier.

if encryption domain correct and checkpoint proposing the correct network IDs try Scenario 4 from the following SK

VPN Site-to-Site with 3rd party

Thecoder · ‎2018-07-18

Hi

our version is r80.10 take 112 and the problem is solved for our version at scenario 4 in sk which you said.

i saw that i can see traffics in and out direction when remote side send dns traffic.(traffic was accepting with implied rule)

when we monitored with fw monitor, i saw incoming traffic but i couldnt see outgoing traffic for dns traffic.

i realized that if remote side send icmp traffic, everything is ok,i can see incoming and outgoing traffic.

i saw that some spi deletion. i dont know its normal or not

thanks

Houssameddine_1 · ‎2018-07-18

You are filtering for the private IPs. you need wide open packet captures.when traffic gets encrypted you see ESP packet with the public IPs of the firewalls. R80.10 has the following i I o O e E(R77.30 has i I o O)

the traffic will be encrypted between e and E.

For the SA deletion as long both sides delete the keys based on the request and negotiate new keys that should be ok, we need to avoid situation where one side deleted a key and the other side still using it for encryption.

Thanks

Thecoder · ‎2018-07-19

Hello

i took new dump. i cant see "eE" state. our version .s 80.10. is it normal?

remote side dump:

Houssameddine_1 · ‎2018-07-19

you still filtering. you need to do fw monitor without filtered and dump it to a file after that review in wireshark.

Are you a member of CheckMates?

dns request not passing on s2s vpn