This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
marcinw
Contributor
‎2023-01-12 05:44 AM
Jump to solution

VPN traffic exclusion with crypt.def

Hi

I need to exclude some traffic from VPN, I went through sk98241 also read some posts on checkmates but to make sure (will be configuring for the first time). The scenario is , I have 3 remote VPN sites :
site1=192.168.1.0/24
site2=192.168.2.0/24
site3=192.168.3.0/24

and SMS in the cloud
I have SCCM GW in the cloud with IP 1.2.3.4, that's the traffic that I want to exclude from VPN and send it dierctly from hosts in VPN domain to SCCM GW 1.2.3.4, the changes in crypt.def On SMS in the cloud should be looking in this way ?:

 

#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=1.2.3.4)
#else
#ifndef NON_VPN_TRAFFIC_RULES 0
#endif
#endif

OR only for specified VPN 2 subnets

all@site1 vpn_exclude={192.168.1.1,192.168.1.255};
all@site2 vpn_exclude={192.168.2.1,192.168.2.255};

#define NON_VPN_TRAFFIC_RULES ((src vpn_exclude) and (dst=1.2.3.4))

Pushing Policy on SMS

I this Ok ? Also is there anything else that has to be done ?

thank you

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2023-01-12 06:21 AM
In response to marcinw
Jump to solution

This is from sk108600. Let me see if I can find a file that customer modified ages ago and it worked fine, maybe I can send you the example.

Andy

  1. Backup the relevant "crypt.def" file (refer to sk98241) on Security Management Server / Domain Management Server.

  2. Open the relevant "crypt.def" file in a plain-text editor (Vi on Unix-based OS ; Notepad/Notepad++ on Windows OS).

  3. Find this line:

    #define NON_VPN_TRAFFIC_RULES
    You should see the following lines: 
    #ifndef NON_VPN_TRAFFIC_RULES
#define NON_VPN_TRAFFIC_RULES 0
#endif

  4. Modify the middle line:

    from this single line:

    #define NON_VPN_TRAFFIC_RULES 0

    to these lines:

    • to exclude only IPv4 address: 
      #ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv4_address,dport=Destination_Port)
      #else
      #define NON_VPN_TRAFFIC_RULES 0
      #endif
      The Destination_IPv4_address is the IPv4 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
    • to exclude multiple IPv4 addresses 
      #ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv4_address_1 or dst=Destination_IPv4_address_2)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
      The Destination_IPv4_address is the IPv4 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
    • to exclude only IPv6 address: 
      #ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES 0
#else
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv6_address,dport=Destination_Port)
#endif
      The Destination_IPv6_address is the IPv6 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
    • to exclude both IPv4 address and IPv6 address: 
      #ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv4_address,dport=Destination_Port)
#else
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv6_address,dport=Destination_Port)
#endif
      The Destination_IPv4_address is the IPv4 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
      The Destination_IPv6_address is the IPv6 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
  5. Save the changes in the "crypt.def" file and exit from the editor.

  6. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  7. Install the security policy onto relevant Security Gateway / Cluster.

View solution in original post

11 Replies
the_rock
Legend
Legend
‎2023-01-12 05:48 AM
Jump to solution

On surface, that looks right to me. By the way, IF syntax is wrong, you would see it for sure when pushing the policy, as it would error out 100% and tell you exactly what its complaining about.

0 Kudos
marcinw
Contributor
‎2023-01-12 06:11 AM
In response to the_rock
Jump to solution

thanks for reply , I suppose you mean this line 

#ifndef NON_VPN_TRAFFIC_RULES 0

instead of #define NON_VPN_TRAFFIC_RULES 0

also this one should be fixed 

#ifndef IPV6_FLAVOR

to #ifdef IPV6_FLAVOR

0 Kudos
the_rock
Legend
Legend
‎2023-01-12 06:21 AM
In response to marcinw
Jump to solution

This is from sk108600. Let me see if I can find a file that customer modified ages ago and it worked fine, maybe I can send you the example.

Andy

  1. Backup the relevant "crypt.def" file (refer to sk98241) on Security Management Server / Domain Management Server.

  2. Open the relevant "crypt.def" file in a plain-text editor (Vi on Unix-based OS ; Notepad/Notepad++ on Windows OS).

  3. Find this line:

    #define NON_VPN_TRAFFIC_RULES
    You should see the following lines: 
    #ifndef NON_VPN_TRAFFIC_RULES
#define NON_VPN_TRAFFIC_RULES 0
#endif

  4. Modify the middle line:

    from this single line:

    #define NON_VPN_TRAFFIC_RULES 0

    to these lines:

    • to exclude only IPv4 address: 
      #ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv4_address,dport=Destination_Port)
      #else
      #define NON_VPN_TRAFFIC_RULES 0
      #endif
      The Destination_IPv4_address is the IPv4 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
    • to exclude multiple IPv4 addresses 
      #ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv4_address_1 or dst=Destination_IPv4_address_2)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
      The Destination_IPv4_address is the IPv4 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
    • to exclude only IPv6 address: 
      #ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES 0
#else
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv6_address,dport=Destination_Port)
#endif
      The Destination_IPv6_address is the IPv6 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
    • to exclude both IPv4 address and IPv6 address: 
      #ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv4_address,dport=Destination_Port)
#else
#define NON_VPN_TRAFFIC_RULES (dst=Destination_IPv6_address,dport=Destination_Port)
#endif
      The Destination_IPv4_address is the IPv4 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
      The Destination_IPv6_address is the IPv6 address of the remote peer, which should be excluded from the Gateway's remote encryption domain.
  5. Save the changes in the "crypt.def" file and exit from the editor.

  6. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  7. Install the security policy onto relevant Security Gateway / Cluster.
marcinw
Contributor
‎2023-01-12 06:24 AM
In response to the_rock
Jump to solution

thank you very much sir I won't find better explanation 🙂 cheers

the_rock
Legend
Legend
‎2023-01-12 06:25 AM
In response to marcinw
Jump to solution

Its not an issue, as that company switched to another vendor 5 years ago or so, so if I can find that file, no harm in sending it, all good.

0 Kudos
the_rock
Legend
Legend
‎2023-01-12 06:36 AM
In response to marcinw
Jump to solution

I dont sadly have the file itself, but, I found an email from ages ago where TAC told them to follow this example on that line:

#define NON_VPN_TRAFFIC_RULES ((src=x.x.x.x or dst=y.y.y.y) and (src=x.x.x.x and dst=y.y.y.y) or ))
0 Kudos
the_rock
Legend
Legend
‎2023-01-12 06:38 AM
In response to marcinw
Jump to solution

Just MAKE SURE whatever you do, save the original copy by doing cd $FWDIR/lib and then cp crypt.def crypt.def.ORIGINAL

That way, if anything gets f-ed up, you can revert back easily.

0 Kudos
marcinw
Contributor
‎2023-01-12 06:46 AM
In response to the_rock
Jump to solution

of course backup will be done, however  I am going to configure this in the lab first to check and minimize losses 😉

0 Kudos
the_rock
Legend
Legend
‎2023-01-12 06:55 AM
In response to marcinw
Jump to solution

Yes sir Marcin, 100% always an excellent idea.

0 Kudos
the_rock
Legend
Legend
‎2023-01-12 06:42 AM
In response to marcinw
Jump to solution

Also, below link may help as well.

https://community.checkpoint.com/t5/General-Topics/How-is-VPN-traffic-excluded-via-crypt-def-routed/...

0 Kudos
B_P
Advisor
‎2023-07-25 03:03 PM
Jump to solution

Anyone know what the @ symbol does? Does all mean "all interfaces"? Can you write it like eth1@east-fw ? Not seeing documentation on it like in sk113112.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events