topic Re: VPN traffic exclusion with crypt.def in General Topics

VPN traffic exclusion with crypt.def

marcinw — Thu, 12 Jan 2023 13:44:19 GMT

I need to exclude some traffic from VPN, I went through sk98241 also read some posts on checkmates but to make sure (will be configuring for the first time). The scenario is , I have 3 remote VPN sites :
site1=192.168.1.0/24
site2=192.168.2.0/24
site3=192.168.3.0/24

and SMS in the cloud
I have SCCM GW in the cloud with IP 1.2.3.4, that's the traffic that I want to exclude from VPN and send it dierctly from hosts in VPN domain to SCCM GW 1.2.3.4, the changes in crypt.def On SMS in the cloud should be looking in this way ?:

#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=1.2.3.4)
#else
#ifndef NON_VPN_TRAFFIC_RULES 0
#endif
#endif

OR only for specified VPN 2 subnets

all@site1 vpn_exclude={192.168.1.1,192.168.1.255};
all@site2 vpn_exclude={192.168.2.1,192.168.2.255};

#define NON_VPN_TRAFFIC_RULES ((src vpn_exclude) and (dst=1.2.3.4))

Pushing Policy on SMS

I this Ok ? Also is there anything else that has to be done ?

thank you

Re: VPN traffic exclusion with crypt.def

the_rock — Thu, 12 Jan 2023 13:48:34 GMT

On surface, that looks right to me. By the way, IF syntax is wrong, you would see it for sure when pushing the policy, as it would error out 100% and tell you exactly what its complaining about.

Re: VPN traffic exclusion with crypt.def

marcinw — Thu, 12 Jan 2023 14:11:23 GMT

thanks for reply , I suppose you mean this line

#ifndef NON_VPN_TRAFFIC_RULES 0

instead of #define NON_VPN_TRAFFIC_RULES 0

also this one should be fixed

#ifndef IPV6_FLAVOR

to #ifdef IPV6_FLAVOR

Re: VPN traffic exclusion with crypt.def

the_rock — Thu, 12 Jan 2023 14:21:48 GMT

This is from sk108600. Let me see if I can find a file that customer modified ages ago and it worked fine, maybe I can send you the example.

Andy

Backup the relevant "crypt.def" file (refer to sk98241) on Security Management Server / Domain Management Server.
Open the relevant "crypt.def" file in a plain-text editor (Vi on Unix-based OS ; Notepad/Notepad++ on Windows OS).
Find this line:

#define NON_VPN_TRAFFIC_RULES
You should see the following lines:
```
#ifndef NON_VPN_TRAFFIC_RULES
#define NON_VPN_TRAFFIC_RULES 0
#endif
```
Modify the middle line:

from this single line:
```
#define NON_VPN_TRAFFIC_RULES 0
```
to these lines:
- to exclude only IPv4 address:
```
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv4_address,dport=Destination_Port)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
```
  The Destination_IPv4_address is the IPv4 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
- to exclude multiple IPv4 addresses
```
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv4_address_1 or dst=Destination_IPv4_address_2)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
```
  The Destination_IPv4_address is the IPv4 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
- to exclude only IPv6 address:
```
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES 0
#else
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv6_address,dport=Destination_Port)
#endif
```
  The Destination_IPv6_address is the IPv6 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
- to exclude both IPv4 address and IPv6 address:
```
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv4_address,dport=Destination_Port)
#else
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv6_address,dport=Destination_Port)
#endif
```
  The Destination_IPv4_address is the IPv4 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
  The Destination_IPv6_address is the IPv6 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
Save the changes in the "crypt.def" file and exit from the editor.
Connect with SmartDashboard to Security Management Server / Domain Management Server.
Install the security policy onto relevant Security Gateway / Cluster.

Re: VPN traffic exclusion with crypt.def

marcinw — Thu, 12 Jan 2023 14:24:17 GMT

thank you very much sir I won't find better explanation 🙂 cheers

Re: VPN traffic exclusion with crypt.def

the_rock — Thu, 12 Jan 2023 14:25:44 GMT

Its not an issue, as that company switched to another vendor 5 years ago or so, so if I can find that file, no harm in sending it, all good.

Re: VPN traffic exclusion with crypt.def

the_rock — Thu, 12 Jan 2023 14:36:42 GMT

I dont sadly have the file itself, but, I found an email from ages ago where TAC told them to follow this example on that line:

#define NON_VPN_TRAFFIC_RULES ((src=x.x.x.x or dst=y.y.y.y) and (src=x.x.x.x and dst=y.y.y.y) or ))

Re: VPN traffic exclusion with crypt.def

the_rock — Thu, 12 Jan 2023 14:38:01 GMT

Just MAKE SURE whatever you do, save the original copy by doing cd $FWDIR/lib and then cp crypt.def crypt.def.ORIGINAL

That way, if anything gets f-ed up, you can revert back easily.

Re: VPN traffic exclusion with crypt.def

the_rock — Thu, 12 Jan 2023 14:42:22 GMT

Also, below link may help as well.

https://community.checkpoint.com/t5/General-Topics/How-is-VPN-traffic-excluded-via-crypt-def-routed/m-p/163421

Re: VPN traffic exclusion with crypt.def

marcinw — Thu, 12 Jan 2023 14:46:20 GMT

of course backup will be done, however I am going to configure this in the lab first to check and minimize losses 😉

Re: VPN traffic exclusion with crypt.def

the_rock — Thu, 12 Jan 2023 14:55:10 GMT

Yes sir Marcin, 100% always an excellent idea.

Re: VPN traffic exclusion with crypt.def

B_P — Tue, 25 Jul 2023 22:03:10 GMT

Anyone know what the @ symbol does? Does all mean "all interfaces"? Can you write it like eth1@east-fw ? Not seeing documentation on it like in sk113112.