topic Re: Quantum Spark 1600 Locally Managed Ra VPN Encryption Domain Problem in SASE and Remote Access

Quantum Spark 1600 Locally Managed Ra VPN Encryption Domain Problem

NJTsunss — Mon, 15 Sep 2025 10:23:00 GMT

I have A Problem When I enable Manual Encryption Domain, My RA VPN clients not only Receive Routes That i have Created in Manually Encryption Domain, but they also receive routes for Active Interfaces which are behind Checkpoint.

I need my VPN Clients to only Reicieve Routes For The Networks I have Defined inside Encryption Domain, Is this Perhaps Some kind of A Bug Or am i Missing Configuration?

I use Endpoint Security VPN

Re: Quantum Spark 1600 Locally Managed Ra VPN Encryption Domain Problem

PhoneBoy — Tue, 16 Sep 2025 15:56:17 GMT

Expected behavior.
Have you explicitly tried excluding them here (under Exclude Networks):

Otherwise, you're probably going to have to do something like: https://community.checkpoint.com/t5/General-Topics/VPN-traffic-exclusion-with-crypt-def/td-p/167592

On a locally managed Quantum Spark appliance, after editing crypt.def, you will need to execute an fw_configload from Expert mode OR reboot the appliance for the change to take effect.

Re: Quantum Spark 1600 Locally Managed Ra VPN Encryption Domain Problem

NJTsunss — Tue, 16 Sep 2025 15:58:55 GMT

I tried Manual Exclusion But it gave me no difference, Will Try the method you linked

Re: Quantum Spark 1600 Locally Managed Ra VPN Encryption Domain Problem

NJTsunss — Wed, 17 Sep 2025 17:31:00 GMT

I tried The Method You linked but still no luck, Currently I'm checking routes via Route print, the routes I get are this:

0.0.0.0 255.255.255.255 172.17.10.2 172.17.10.1 1
10.100.120.0 255.255.255.0 172.17.10.2 172.17.10.1 1
10.70.0.1 255.255.255.255 172.17.10.2 172.17.10.1 1
10.128.128.2 255.255.255.255 172.17.10.2 172.17.10.1 1
127.0.0.1 255.255.255.255 172.17.10.2 172.17.10.1 1
192.168.5.0 255.255.255.0 172.17.10.2 172.17.10.1 1

the only routes I should be getting are, 192.168.5.0 and 10.10.10.0
other addresses like 10.70.0.1 and 10.128.128.2 are my interface Ip addresses that are connected to other devices.

I tried Crypt.def
Changed it like this for example to exclude 10.70.0.1:

From this

#ifndef NON_VPN_TRAFFIC_RULES
#ifdef USE_NON_VPN_DESTINATIONS
#define NON_VPN_TRAFFIC_RULES (dst in non_vpn_destinations)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

#endif /* __crypt_def__ */

To this

#ifndef NON_VPN_TRAFFIC_RULES
#ifdef USE_NON_VPN_DESTINATIONS
#define NON_VPN_TRAFFIC_RULES (dst=10.70.0.1)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

#endif /* __crypt_def__ */

But 10.70.0.1 still stayed in Laptop routing table, am I doing something wrong?

Re: Quantum Spark 1600 Locally Managed Ra VPN Encryption Domain Problem

PhoneBoy — Wed, 17 Sep 2025 17:37:18 GMT

This may not be possible on locally managed Quantum Spark appliances, or this isn't the right procedure for that.
Suggest a TAC case here.