Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thecoder
Collaborator

dns request not passing on s2s vpn

Hello

i configured s2s vpn between checkpoint(R80.10) and sophos xg firewall. sophos behind networks can access to our networks.but dns request not running. sophos network can ping to the dns server. bunt not resolve name. i took some dumps.and i saw that sophos sent DNS request and checkpoint took Dns request and sent to the dns server and Dns server answered to the request.and checkpoint sent dns answer to the sophos. but i can not see the dns answer with tcpdump on sophos. when i checked logs,i saw these logs:

8 Replies
Houssameddine_1
Collaborator

Based on your TCP dump your dns traffic is leaving in the clear and not passing through the vpn tunnel. I think need to configure the DNS implied rules in global properties to be set to last or before last (Any Traffic matches implied rules will not be encrypted) and make sure you have a configure rule in the policy to allow DNS

The log that you attached doesn't give me much information because it don't see which protocol or ports, it means you have key management issue and the checkpoint tried to encrypt packet but it doesn't have key for it. You need to run vpnd and ike debug to see which side is deleting the keys and make sure that the encrytion domains are configured correctly on both sides.

Thanks

0 Kudos
Thecoder
Collaborator

i am attaching log screen again.i have already enabled "Accept domain name over udp".but nothing changed.

how can i understand that traffic entered to the vpn tunnel with tcpdump? what i must see in log screen? 

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos
Houssameddine_1
Collaborator

It seems key management issue. for some reason the peer sending traffic using a key that  is no longer exists on checkpoint gateway. 

You might need a TAC ticket.  Double check the encryption domains on both sides and try IKEV1 to make troubleshooting easier.

if encryption domain correct and checkpoint proposing the correct network IDs try Scenario 4 from the following SK

VPN Site-to-Site with 3rd party 

Thecoder
Collaborator

Hi

our version is r80.10 take 112 and the problem is solved  for our version at scenario 4 in sk which you said.

i saw that i can see traffics in and out direction when remote side send dns traffic.(traffic was accepting with implied rule)

when we monitored with fw monitor, i saw incoming traffic but i couldnt see outgoing traffic for dns traffic.

i realized that if remote side send icmp traffic, everything is ok,i can see incoming and outgoing traffic.

i saw that some spi deletion. i dont know its normal or not

thanks

0 Kudos
Houssameddine_1
Collaborator

You are filtering for the private IPs. you need wide open packet captures.when traffic gets encrypted you see ESP packet with the public IPs of the firewalls. R80.10  has the following i I o O e E(R77.30 has i I o O)

the traffic will be encrypted between e and E.

For the SA deletion as long both sides delete the keys based on the request and negotiate new keys that should be ok, we need to avoid situation where one side deleted a key and the other side still using it  for encryption.

Thanks

0 Kudos
Thecoder
Collaborator

Hello

i took new dump. i cant see "eE" state. our version .s 80.10. is it normal? 

remote side dump:

0 Kudos
Houssameddine_1
Collaborator

you still filtering. you need to do fw monitor without filtered and dump it to a file after that review in wireshark. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events