Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
luk89as
Explorer

DNS traffic using S2S VPN is not working

Good morning,

I have two checkpoint 750 and 730 devices connected to each other using VPN S2S.

IP traffic using VPN works without problem. I can access devices on the LAN from either side.

From the CP750 side, I have an Exchange Server 2019 ST server.

When Outlook is on the LAN, the CP730 cannot connect to Exchange Server 2019 because it does not send DNS queries via VPN.

How to configure the CP 750 and 730 for DNS queries to be sent over the S2S VPN tunnel.

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee

There is an advanced setting which if enabled will provide the behaviour as your describing.

 "Do not encrypt local DNS requests"

Worth checking before exploring elsewhere.

CCSM R77/R80/ELITE
0 Kudos
luk89as
Explorer

In the advanced settings, I have set the following options:

Global VPN Site to Site settings - do not encrypt local DNS requests - TRUE

I set the setting as always about CP730 and CP 750.

Even so, I still don't have DNS traffic over the S2S VPN. You can see in the logs that it is encrypted.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

The other advanced option that may apply is:

"Do not encrypt connections originating from the local gateway"

Failing this if all other VPN parameters check out and you're on the latest build of R77.20.87 I would discuss it further with TAC.

CCSM R77/R80/ELITE
0 Kudos
luk89as
Explorer

In each of the configuration pages, for these two settings to be set to TRUE.

Screen in the appendix.

I don't know if it matters, but the S2S VPN connection is made using certificates.

Even though you select the option that it does not encrypt DNS traffic it does otherwise.

The log shows that traffic from the CP730 LAN is blocked on the CP 750 side.

Maybe a rule in the firewall needs to be created?

0 Kudos
the_rock
Legend
Legend

Are both centrally managed? If so, check option in global properties "accept domain name over..."

0 Kudos
luk89as
Explorer


I started unencrypted DNS traffic over VPN.

In the S2S VPN settings I checked the option: "Allow traffic to the internet from remote site through this gateway."

I applied the setting to both Checkpoint devices.

0 Kudos
PhoneBoy
Admin
Admin

Do Not Encrypt Local DNS Requests of TRUE means that DNS requests won't be encrypted (sent over VPN).
What happens when you make it FALSE?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events