topic Re: How is VPN traffic excluded via crypt.def routed? in General Topics

How is VPN traffic excluded via crypt.def routed?

Ruan_Kotze — Wed, 30 Nov 2022 07:33:25 GMT

Hi Checkmates,

I've got a scenario whereby I've got a star community with all traffic routed through the center.

I've got a requirement now to break out SMTP traffic to a specific destination locally at one of the spokes (and at that spoke only - all other spokes should still encrypt and send through the center).

In the event that I exclude a specific source / destination / service via crypt.def, would traffic then obey a policy route on the gateway or would it still be sent to the center, but in cleartext? The spoke in question is a Quantum spark running 80.20.50 in case it's relevant.

Is there perhaps a better way of doing this than fiddling with crypt.def and INSPECT syntax? FWIW this is the syntax I'm looking to implement:

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.1.10,dst=1.2.3.4,dport=25)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

Thanks,
Ruan

Re: How is VPN traffic excluded via crypt.def routed?

the_rock — Mon, 28 Nov 2022 19:12:41 GMT

I could be mistaken, but I believe if you modify crypt.def, it would be sent in clear, maybe someone else can confirm 100%. Actually, I dont believe TAC would ever recommend you to do something like this, but I saw customer once create VPN rule to block traffic they did NOT want going through the tunnel (they just placed it above accept vpn rule). Personally, I only saw that one time and never again. Most people just do it by modifying the file you mentioned.

Re: How is VPN traffic excluded via crypt.def routed?

PhoneBoy — Tue, 29 Nov 2022 01:20:13 GMT

This "hack" to crypt.def ensures the specified traffic is NOT encrypted (i.e. sent through VPN) and it should be sent according to the normal routing table.
Unfortunately, there isn't a cleaner way to do this currently.
And, because you're talking SMB gateways, make sure the change is made to the appropriate "Backward Compatibility" directory version of crypt.def.

Re: How is VPN traffic excluded via crypt.def routed?

Klemen1310 — Thu, 23 Mar 2023 10:30:28 GMT

Hello,

I have a similar issue which is on location A I have a SMB Quantum spark running 80.20.50 which has established IPsec tunnel to location B which is a Cluster of 3600 appliances. All traffic is routed through center which is cluster. On location A I have a device with local IP 192.168.15.245 which traffic should not be going through tunnel but directly to internet from location A.

How should I write my crypt.def ?

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.15.245)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

Looking forward to your reply,

Klemen

Re: How is VPN traffic excluded via crypt.def routed?

Ruan_Kotze — Thu, 23 Mar 2023 10:41:57 GMT

Hi Klemen, as per above we did this successfully for one of our clients, I'll see if I can get a sanitized copy and post it here.

Re: How is VPN traffic excluded via crypt.def routed?

Klemen1310 — Mon, 27 Mar 2023 12:45:43 GMT

Hello,

should I open new ticket or are you still trying to get sanitized copy ?

Re: How is VPN traffic excluded via crypt.def routed?

Ruan_Kotze — Mon, 27 Mar 2023 12:57:33 GMT

Hi Klemen,

This is what we used (need was to exclude SMTP traffic from a specific host from the tunnel):

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.10.10,dport=25)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

Also refer to the below to SK's (depending on the gateway platform you need to modify different files on the SMS etc.)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25675&partition=Advanced&product=IPSec

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98241#Location

Thanks,
Ruan

Re: How is VPN traffic excluded via crypt.def routed?

dede79 — Wed, 12 Apr 2023 07:37:51 GMT

Hello,

does anyone know the possible syntax? I need to exlude several networks and working just with "src=" and "dst=" and many many "or" in between leads to a very big crypt.def file! Usage of networks would be great.....

Thanks

Re: How is VPN traffic excluded via crypt.def routed?

PhoneBoy — Wed, 12 Apr 2023 14:11:00 GMT

The language used here is INSPECT, so it should be possible.
fw monitor uses the same syntax, and it’s described here: https://support.checkpoint.com/results/sk/sk30583

Re: How is VPN traffic excluded via crypt.def routed?

dede79 — Thu, 13 Apr 2023 07:23:54 GMT

Checked so far - wildcard would have been the best option but seems not to work (like exclude all MPLS routers to check connectivity....10.190.*.1).

Also as I see no option to install specific rules only on specific gateways.

Re: How is VPN traffic excluded via crypt.def routed?

PhoneBoy — Thu, 13 Apr 2023 14:36:06 GMT

You're changing an INSPECT macro.
I'm not aware of a way to make it different for different gateways short of manually maintaining it for each gateway.

A route-based VPN would probably be a better approach here since it can be affected through routing changes on the local gateway.

Re: How is VPN traffic excluded via crypt.def routed?

dede79 — Fri, 04 Aug 2023 12:27:40 GMT

it works perfectly with gaia gateways - just the added 1500 devices on R81.10 completely ignore the VPN exclustions in crypt.def.

File should be the same for all R81.10 gateways, right? $FWDIR/lib/crypt.def

Or is there a different syntax for the quantum spark series?

Re: How is VPN traffic excluded via crypt.def routed?

Ruan_Kotze — Fri, 04 Aug 2023 12:46:15 GMT

Different locations for Spark as far as I recall - I linked the SK's in a previous post.

Re: How is VPN traffic excluded via crypt.def routed?

dede79 — Mon, 07 Aug 2023 08:31:18 GMT

thought from R81.20 Mgmt admin guide it should be $FWDIR/CPSFWR81CMP-R81.10/lib/crypt.def but changes here are not influencing quantum sparc behavior.....so I creates an SR.

Re: How is VPN traffic excluded via crypt.def routed?

PhoneBoy — Wed, 23 Aug 2023 20:59:33 GMT

That is only for SMB gateways running R81.10.
For other firmware versions, you'll need a different path.