Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ruan_Kotze
Advisor
Jump to solution

How is VPN traffic excluded via crypt.def routed?

Hi Checkmates,

I've got a scenario whereby I've got a star community with all traffic routed through the center.

I've got a requirement now to break out SMTP traffic to a specific destination locally at one of the spokes (and at that spoke only - all other spokes should still encrypt and send through the center). 

In the event that I exclude a specific source / destination / service via crypt.def, would traffic then obey a policy route on the gateway or would it still be sent to the center, but in cleartext?  The spoke in question is a Quantum spark running 80.20.50 in case it's relevant.

Is there perhaps a better way of doing this than fiddling with crypt.def and INSPECT syntax?  FWIW this is the syntax I'm looking to implement:

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.1.10,dst=1.2.3.4,dport=25)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

Thanks,
Ruan

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

This "hack" to crypt.def ensures the specified traffic is NOT encrypted (i.e. sent through VPN) and it should be sent according to the normal routing table.
Unfortunately, there isn't a cleaner way to do this currently.
And, because you're talking SMB gateways, make sure the change is made to the appropriate "Backward Compatibility" directory version of crypt.def.

View solution in original post

2 Replies
the_rock
Legend
Legend

I could be mistaken, but I believe if you modify crypt.def, it would be sent in clear, maybe someone else can confirm 100%. Actually, I dont believe TAC would ever recommend you to do something like this, but I saw customer once create VPN rule to block traffic they did NOT want going through the tunnel (they just placed it above accept vpn rule). Personally, I only saw that one time and never again. Most people just do it by modifying the file you mentioned.

PhoneBoy
Admin
Admin

This "hack" to crypt.def ensures the specified traffic is NOT encrypted (i.e. sent through VPN) and it should be sent according to the normal routing table.
Unfortunately, there isn't a cleaner way to do this currently.
And, because you're talking SMB gateways, make sure the change is made to the appropriate "Backward Compatibility" directory version of crypt.def.