This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carlos_luz
Explorer
‎2023-07-02 05:48 AM

VPN - DNS Lookup

VPN - DNS Lookup
 
 I have a costumer and in your enverioment, he has one SDWAN before the gatewy with 2 ISP (with to FQDN VPN). In the gateway i have only one external interface with private IP.
 
  Exempla: 
  
  vpn.xpto.com                                                    vpn2.xpto.com
  IPS1                                                                   ISP2
                                           SDWAN
                                           PrivateIP
                                           Gateway
                                           Internal Network
 
 
 Then i needed to put both FQDN to work and so many test, i could after change some options option in GuiDBedit and VPN Selection. And one determinate order:
 
 First i changed in VPN Settings > Link Selection > "Source IP address settings...", i select "IP address of chosen interface":
 
 
Ip chosen Interface.png
 
 
 After i changed in VPN Settings > Link Selection > "Outgoing Route Selection" and "Setup", i select "IP address of chosen interface":
 
Reply the same source.png
 
 And the last changed i open GuiDGedit, set option "dnsLookup" in both field "ip_resolution_mechanism" and "ip_resolution_mechanism_GW" (theses fields are in "Network Objects" > Object Gateway.
 
ip_resolution.png
 
 After theses changed, the VPN work fine and stable, but i found some bugs in interface, automaticly the option "Use Dns resolving" is checked and when i open the option"Link Selection" , the interface ask about one value, case i ignore this popup, the VPN continuos work fine, but alwauys i open this option alert about the problem.
 
link selection bug.png
 
 How this case, i have others cases where the config work, but i didn't find any documentation, one example is option "Calculate IP based on network topology" in Link Selection, this option permit balancing VPN over multi links, and this option has a poor documentation. 
 

 Sorry for the English, but I'm training to improve, the environment is in version R81.10 take 66. The prints for the post I took inside Demopoint in version R81.20, I can't validate if this function works well in other versions.

 This post is for information purposes only and not to complain or help, I am available in case of doubt.

 

Carlos Luz
CCSA, CCSE, CCTE

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-07-03 12:40 PM

I believe Calculate IP Based on Network Topology will use the interface that is "closest" to the remote endpoint.
This is likely a combination of the device routing table and the topology information configured for the remote gateway.

For what it's worth, in R82, we are expecting to simplify all this.

0 Kudos
carlos_luz
Explorer
‎2023-07-03 09:13 PM
In response to PhoneBoy

 Hello PhoneBoy, yes, with Caculate option i can use routes to chose the interface and IP interface what i use in VPN.

 

 But we dont have any documentation about this or cases of use.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-05 06:54 AM
In response to carlos_luz

All of the options here control what IP address is used to initiate a VPN with a remote peer.
Unless the peer is accessible via an internal interface, "Calculate IP based on network topology" will generally result in the external (cluster) IP being used.
This is the default setting.

Note the settings here apply to ALL VPN peers.
If you have multiple VPN peers that each require a different IP to be used for different peers, then you will need to use one of the options.

As I stated previously, we are planning to revamp these options in R82 to simplify things.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events