topic Re: Exclude single IP from Peer VPN IP range in SASE and Remote Access

Exclude single IP from Peer VPN IP range

NorthernNetGuy — Tue, 28 Mar 2023 14:27:28 GMT

I have a VPN community for a B2B connection set up, with their VPN Domain containing a /21, that all works fine.

There is 1 IP address in that /21 that is for a public website that we don't want to to route over the VPN, and I'm trying to figure out how to exclude it from being routed over that VPN.

I've tried setting up a NAT rule to translate the source to an different IP than the one used for that community, but it still attempts to route over the VPN.

I've also tried setting up a static route, setting the next hop to the IP used as our default gateway.

How would I exclude an address from being routed thru that domain?

Re: Exclude single IP from Peer VPN IP range

Danny — Tue, 28 Mar 2023 14:59:28 GMT

crypt.def is your friend

Re: Exclude single IP from Peer VPN IP range

NorthernNetGuy — Tue, 28 Mar 2023 15:18:25 GMT

Thanks Danny! The SK for crypt.def was a little daunting and not clear how to specifically exclude an address, but that posts solution explains it very well!

Re: Exclude single IP from Peer VPN IP range

NorthernNetGuy — Tue, 28 Mar 2023 15:34:35 GMT

I also just discovered that exclusion group objects exist. Do you know if using an exclusion group would cause any issues if I use that as the Satellite VPN domain?

It would be a simpler approach and be easier to share with my other techs.

Re: Exclude single IP from Peer VPN IP range

Danny — Wed, 29 Mar 2023 06:07:04 GMT

As this article describes, groups with exclusions may have issues when used with VPN encryption domains. It might work, just test it and keep a close eye on the calculated result. I understand you are looking for an easy solution. However, your task it not easy by design. You could also create a group containing multiple network objects describing your /21 network without that single IP address in order to use that manually crafted network group as your new encryption domain. However, keep in mind Check Point performs supernetting by default, so you might still end up with a /21 encryption domain. That's why crypt.def is your friend.

Re: Exclude single IP from Peer VPN IP range

NorthernNetGuy — Tue, 28 Mar 2023 17:56:02 GMT

I really appreciate the in depth response! I'll experiment with the exclusion group, but it looks like I'll likely need to go with defining an exclusion within crypt.def.

I'll try and update this post with my results once I've tested, for anyone that might stumble upon this post in the future.

Re: Exclude single IP from Peer VPN IP range

AleLovaz82 — Tue, 28 Mar 2023 18:10:53 GMT

TAC told me that exclusion group as encryption domain are not supported even if you can use them from Smart Console

>- Exchanged the network group with exclusions(not supported in the encryption domain) with a standard network group

Re: Exclude single IP from Peer VPN IP range

AleLovaz82 — Tue, 28 Mar 2023 18:11:53 GMT

I use this
> You could also create a group containing multiple network objects describing your /21 network without that single IP address in >order to use that manually crafted network group as your new encryption domain.

+ force the firewall to use a specific subnet editing user.def.FW1

Re: Exclude single IP from Peer VPN IP range

PhoneBoy — Tue, 28 Mar 2023 22:51:34 GMT

Exclusion groups ARE supported for Remote Access VPN: https://support.checkpoint.com/results/sk/sk167000
However, that’s relatively recent and for the specific use case it was designed for (Remote Access).

Re: Exclude single IP from Peer VPN IP range

AleLovaz82 — Wed, 29 Mar 2023 11:53:46 GMT

ok , i used them in s2s vpn