This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NJTsunss
Explorer
Monday

Quantum Spark 1600 Locally Managed Ra VPN Encryption Domain Problem

I have A Problem When I enable Manual Encryption Domain, My RA VPN clients not only Receive Routes That i have Created in Manually Encryption Domain, but they also receive routes for Active Interfaces which are behind Checkpoint.

I need my VPN Clients to only Reicieve Routes For The Networks I have Defined inside Encryption Domain, Is this Perhaps Some kind of A Bug Or am i Missing Configuration?

I use Endpoint Security VPN

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
Tuesday

Expected behavior.
Have you explicitly tried excluding them here (under Exclude Networks):

image.png

Otherwise, you're probably going to have to do something like: https://community.checkpoint.com/t5/General-Topics/VPN-traffic-exclusion-with-crypt-def/td-p/167592 

On a locally managed Quantum Spark appliance, after editing crypt.def, you will need to execute an fw_configload from Expert mode OR reboot the appliance for the change to take effect.

0 Kudos
NJTsunss
Explorer
Tuesday
In response to PhoneBoy

I tried Manual Exclusion But it gave me no difference, Will Try the method you linked

0 Kudos
NJTsunss
Explorer
yesterday
In response to PhoneBoy

I tried The Method You linked but still no luck, Currently I'm checking routes via Route print, the routes I get are this:

0.0.0.0 255.255.255.255 172.17.10.2 172.17.10.1 1
10.100.120.0 255.255.255.0 172.17.10.2 172.17.10.1 1
10.70.0.1 255.255.255.255 172.17.10.2 172.17.10.1 1
10.128.128.2 255.255.255.255 172.17.10.2 172.17.10.1 1
127.0.0.1 255.255.255.255 172.17.10.2 172.17.10.1 1
192.168.5.0 255.255.255.0 172.17.10.2 172.17.10.1 1

the only routes I should be getting are, 192.168.5.0 and 10.10.10.0
other addresses like 10.70.0.1 and 10.128.128.2 are my interface Ip addresses that are connected to other devices.

I tried Crypt.def
Changed it like this for example to exclude 10.70.0.1:

From this

#ifndef NON_VPN_TRAFFIC_RULES
#ifdef USE_NON_VPN_DESTINATIONS
#define NON_VPN_TRAFFIC_RULES (dst in non_vpn_destinations)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif


#endif /* __crypt_def__ */

To this

#ifndef NON_VPN_TRAFFIC_RULES
#ifdef USE_NON_VPN_DESTINATIONS
#define NON_VPN_TRAFFIC_RULES (dst=10.70.0.1)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

#endif /* __crypt_def__ */


 
But 10.70.0.1 still stayed in Laptop routing table, am I doing something wrong?

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to NJTsunss

This may not be possible on locally managed Quantum Spark appliances, or this isn't the right procedure for that.
Suggest a TAC case here.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events