This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ruan_Kotze
Advisor
‎2022-11-28 09:28 AM
Jump to solution

How is VPN traffic excluded via crypt.def routed?

Hi Checkmates,

I've got a scenario whereby I've got a star community with all traffic routed through the center.

I've got a requirement now to break out SMTP traffic to a specific destination locally at one of the spokes (and at that spoke only - all other spokes should still encrypt and send through the center). 

In the event that I exclude a specific source / destination / service via crypt.def, would traffic then obey a policy route on the gateway or would it still be sent to the center, but in cleartext?  The spoke in question is a Quantum spark running 80.20.50 in case it's relevant.

Is there perhaps a better way of doing this than fiddling with crypt.def and INSPECT syntax?  FWIW this is the syntax I'm looking to implement:

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.1.10,dst=1.2.3.4,dport=25)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

Thanks,
Ruan

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-11-28 05:20 PM
Jump to solution

This "hack" to crypt.def ensures the specified traffic is NOT encrypted (i.e. sent through VPN) and it should be sent according to the normal routing table.
Unfortunately, there isn't a cleaner way to do this currently.
And, because you're talking SMB gateways, make sure the change is made to the appropriate "Backward Compatibility" directory version of crypt.def.

View solution in original post

4 Replies
the_rock
Legend
Legend
‎2022-11-28 11:12 AM
Jump to solution

I could be mistaken, but I believe if you modify crypt.def, it would be sent in clear, maybe someone else can confirm 100%. Actually, I dont believe TAC would ever recommend you to do something like this, but I saw customer once create VPN rule to block traffic they did NOT want going through the tunnel (they just placed it above accept vpn rule). Personally, I only saw that one time and never again. Most people just do it by modifying the file you mentioned.

PhoneBoy
Admin
Admin
‎2022-11-28 05:20 PM
Jump to solution

This "hack" to crypt.def ensures the specified traffic is NOT encrypted (i.e. sent through VPN) and it should be sent according to the normal routing table.
Unfortunately, there isn't a cleaner way to do this currently.
And, because you're talking SMB gateways, make sure the change is made to the appropriate "Backward Compatibility" directory version of crypt.def.

Klemen1310
Explorer
Thursday
In response to PhoneBoy
Jump to solution

Hello,

I have a similar issue which is on location A I have a SMB Quantum spark running  80.20.50 which has established IPsec tunnel to location B which is a Cluster of 3600 appliances. All traffic is routed through center which is cluster. On location A I have a device with local IP 192.168.15.245 which traffic should not be going through tunnel but directly to internet from location A.

How should I write my crypt.def ?

 

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.15.245) 
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

 

Looking forward to your reply,

Klemen

 

0 Kudos
Ruan_Kotze
Advisor
Thursday
In response to Klemen1310
Jump to solution

Hi Klemen, as per above we did this successfully for one of our clients, I'll see if I can get a sanitized copy and post it here.

0 Kudos