Solved: VPN Exclusions (made inside $FWDIR/lib/crypt.def) ...

Jerry · ‎2018-12-18

ok. here is a proper update for you all, should anyone knows what a heck I'm doing wrong (*wink*) - do let me know

obviously I was following IN DETAIL sk86582 but,:

exec ping 10.10.10.1 (from Fortigate CLI on 10.10.10.4)

5 packets transmitted, 0 packets received, 100% packet loss

whilst on zdebug on CP Cluster:

;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=1 10.10.10.4:2048 -> 10.10.10.1:5649 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

when $FWDIR/lib/crypt.def (on SMS + successfuly pushed is like following:

vpn_exclude_src1={<192.168.16.0,192.168.16.254>};

vpn_exclude_dst1={<a.a.a.1,a.a.a.254>};

vpn_exclude_src2={<10.10.10.0,10.10.10.255>};

vpn_exclude_dst2={<10.10.10.0,10.10.10.255>};

vpn_exclude_src3={<a.a.a.1,a.a.a.254>};

vpn_exclude_dst3={<192.168.16.0,192.168.16.254>};

with following in a proper place as well:

((src in vpn_exclude_src1) and (dst in vpn_exclude_dst1)) and ((src in vpn_exclude_src2) and (dst in vpn_exclude_dst2)) and ((src in vpn_exclude_src3) and (dst in vpn_exclude_dst3))

ps. all in right space, spot and policy installed - just simply DOES NOT WORK and I cannot ping whatever direction I'll take based on the exclude_objects from above.

any clue chaps ?

Jerry

G_W_Albrecht · ‎2018-12-18

Most common mistake possible here is not to use the corresponding file as found in sk98241 - but yours looks like you missunderstood the AND - how should that match to anything ? Depending on the criteria you want, an OR would be best...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

Danny · ‎2018-12-18

You could check your VPN routing with our https://community.checkpoint.com/docs/DOC-2214-common-check-point-commands-ccc script.

G_W_Albrecht · ‎2018-12-18

Most common mistake possible here is not to use the corresponding file as found in sk98241 - but yours looks like you missunderstood the AND - how should that match to anything ? Depending on the criteria you want, an OR would be best...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Jerry · ‎2018-12-18

Thanks. You mean like this?:

((src in vpn_exclude_src1) and (dst in vpn_exclude_dst1)) or ((src in vpn_exclude_src2) and (dst in vpn_exclude_dst2)) or ((src in vpn_exclude_src3) and (dst in vpn_exclude_dst3))

Jerry

G_W_Albrecht · ‎2018-12-18

Look into the sk - it is either / or, but AND means all criteria are true, that is impossible...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Jerry · ‎2018-12-18

Danke all works like a charm now. indeed ÖRs made it a whole better LOL

Thanks chaps!

ps. @Danny - CCC is as always on most of my "Customers' SG/SMS devices so no panic, I've checked that before I posted here Thanks for heads up!

Jerry

G_W_Albrecht · ‎2018-12-18

So mark my post as the correct answer, please 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

AntonMakarychev · ‎2019-10-24

Hello!

I have static route to some IP - 10.x.x.x

Also this IP has peer in its VPN Domain. With this peer I have Site-to-Site VPN.

If I exclude this IP from VPN using crypt.def will I get to the IP using static route or the route will be through VPN just in clear text?

Are you a member of CheckMates?

VPN Exclusions (made inside $FWDIR/lib/crypt.def) does not work