This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
luk89as
Participant
‎2022-10-19 05:27 AM

DNS traffic using S2S VPN is not working

Good morning,

I have two checkpoint 750 and 730 devices connected to each other using VPN S2S.

IP traffic using VPN works without problem. I can access devices on the LAN from either side.

From the CP750 side, I have an Exchange Server 2019 ST server.

When Outlook is on the LAN, the CP730 cannot connect to Exchange Server 2019 because it does not send DNS queries via VPN.

How to configure the CP 750 and 730 for DNS queries to be sent over the S2S VPN tunnel.

0 Kudos
7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-10-19 05:41 AM

There is an advanced setting which if enabled will provide the behaviour as your describing.

 "Do not encrypt local DNS requests"

Worth checking before exploring elsewhere.

CCSM R77/R80/ELITE
0 Kudos
luk89as
Participant
‎2022-10-19 06:05 AM
In response to Chris_Atkinson

In the advanced settings, I have set the following options:

Global VPN Site to Site settings - do not encrypt local DNS requests - TRUE

I set the setting as always about CP730 and CP 750.

Even so, I still don't have DNS traffic over the S2S VPN. You can see in the logs that it is encrypted.

Preview file
41 KB
Preview file
47 KB
Preview file
17 KB
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-10-19 06:15 AM
In response to luk89as

The other advanced option that may apply is:

"Do not encrypt connections originating from the local gateway"

Failing this if all other VPN parameters check out and you're on the latest build of R77.20.87 I would discuss it further with TAC.

CCSM R77/R80/ELITE
0 Kudos
luk89as
Participant
‎2022-10-19 06:37 AM
In response to Chris_Atkinson

In each of the configuration pages, for these two settings to be set to TRUE.

Screen in the appendix.

I don't know if it matters, but the S2S VPN connection is made using certificates.

Even though you select the option that it does not encrypt DNS traffic it does otherwise.

The log shows that traffic from the CP730 LAN is blocked on the CP 750 side.

Maybe a rule in the firewall needs to be created?

Preview file
22 KB
Preview file
38 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-10-19 06:44 AM
In response to luk89as

Are both centrally managed? If so, check option in global properties "accept domain name over..."

Best,
Andy
0 Kudos
luk89as
Participant
‎2022-10-19 11:21 PM
In response to the_rock


I started unencrypted DNS traffic over VPN.

In the S2S VPN settings I checked the option: "Allow traffic to the internet from remote site through this gateway."

I applied the setting to both Checkpoint devices.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-20 12:40 PM
In response to luk89as

Do Not Encrypt Local DNS Requests of TRUE means that DNS requests won't be encrypted (sent over VPN).
What happens when you make it FALSE?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events