Create a Post
Showing results for 
Search instead for 
Did you mean: 

Manually define local VPN Domain per remote peer

I'm quite sure I have seen a KB article about a definition file, which allows you to define the local encryption Domain according to the remote peer, e.g.

If the remote site-to-site VPN peer is A, then my local encryption domain are my networks A1, A2 and A3

If the remote site-to-site VPN peer is B, then my local encryption domain are my networks B1 and B2

Can't find that info anymore

0 Kudos
6 Replies

The options for granular control over VPN routing are available by editing the vpn_route.conf file in the conf directory of the Security Management Server. See Site to Site VPN Administration Guide R80.20 p. 72ff for details !

0 Kudos

It's not only VPN-Routing. I want a dedicated VPN-Domain definition per remote peer for my GW. Consider the situation, where I have my corporate gateway, which has 20 site-to-site connections with various partners.
My gateway has 1 single enryption domain definition defined as a group, which includes ALL possible networks it might negotiate with ALL peer gateways.
To be sure, that my gateway uses only a very well defined set of networks for its negotiation with a specific remote peer, i would need a specific local encryption domain for every peer. This is not possible within the SmartDashboard, but I'm pretty sure I saw this possibility within a config file.
If this can be achieved with vpn_route.conf, I would be glad to see an example of how it would look like according to the scenario described in my original post.

Yes, see scenario one here: sk108600: VPN Site-to-Site with 3rd party. 

The trickiest part of this is ensuring you are editing the correct user.def file based on the gateway version, for that see here: sk98239 - Location of 'user.def' files on Security Management Server


R80.40 addendum for book "Max Power 2020" now available
for free download at

Yep, user.def is the way to go.
They are promising us that local per-vpn topology will be possible in a soon to be released version.
How soon? We'll have to wait and see.
Regards, Maarten
0 Kudos

Targeted to R80.30.M1 in maintrain:
May also be available in a customer-specific release thru your local office.
0 Kudos



look for 


in the crypt.def file
0 Kudos