AnsweredAssumed Answered

VPN Exclusions (made inside $FWDIR/lib/crypt.def) does not work

Question asked by 89f54c70-508c-400f-9477-dd8648799b1e on Dec 18, 2018
Latest reply on Dec 18, 2018 by Günther W. Albrecht

ok. here is a proper update for you all, should anyone knows what a heck I'm doing wrong (*wink*) - do let me know

 

obviously I was following IN DETAIL sk86582 but,:

 

exec ping 10.10.10.1 (from Fortigate CLI on 10.10.10.4)

5 packets transmitted, 0 packets received, 100% packet loss

 

whilst on zdebug on CP Cluster:

 

;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=1 10.10.10.4:2048 -> 10.10.10.1:5649 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

 

when $FWDIR/lib/crypt.def (on SMS + successfuly pushed is like following:

 

vpn_exclude_src1={<192.168.16.0,192.168.16.254>};

vpn_exclude_dst1={<a.a.a.1,a.a.a.254>};

vpn_exclude_src2={<10.10.10.0,10.10.10.255>};

vpn_exclude_dst2={<10.10.10.0,10.10.10.255>};

vpn_exclude_src3={<a.a.a.1,a.a.a.254>};

vpn_exclude_dst3={<192.168.16.0,192.168.16.254>};

 

with following in a proper place as well:

 

((src in vpn_exclude_src1) and (dst in vpn_exclude_dst1)) and ((src in vpn_exclude_src2) and (dst in vpn_exclude_dst2)) and ((src in vpn_exclude_src3) and (dst in vpn_exclude_dst3))

 

ps. all in right space, spot and policy installed - just simply DOES NOT WORK and I cannot ping whatever direction I'll take based on the exclude_objects from above.

 

any clue chaps ?

Outcomes