- CheckMates
- :
- Products
- :
- General Topics
- :
- How is VPN traffic excluded via crypt.def routed?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is VPN traffic excluded via crypt.def routed?
Hi Checkmates,
I've got a scenario whereby I've got a star community with all traffic routed through the center.
I've got a requirement now to break out SMTP traffic to a specific destination locally at one of the spokes (and at that spoke only - all other spokes should still encrypt and send through the center).
In the event that I exclude a specific source / destination / service via crypt.def, would traffic then obey a policy route on the gateway or would it still be sent to the center, but in cleartext? The spoke in question is a Quantum spark running 80.20.50 in case it's relevant.
Is there perhaps a better way of doing this than fiddling with crypt.def and INSPECT syntax? FWIW this is the syntax I'm looking to implement:
#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.1.10,dst=1.2.3.4,dport=25)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif
Thanks,
Ruan
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This "hack" to crypt.def ensures the specified traffic is NOT encrypted (i.e. sent through VPN) and it should be sent according to the normal routing table.
Unfortunately, there isn't a cleaner way to do this currently.
And, because you're talking SMB gateways, make sure the change is made to the appropriate "Backward Compatibility" directory version of crypt.def.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could be mistaken, but I believe if you modify crypt.def, it would be sent in clear, maybe someone else can confirm 100%. Actually, I dont believe TAC would ever recommend you to do something like this, but I saw customer once create VPN rule to block traffic they did NOT want going through the tunnel (they just placed it above accept vpn rule). Personally, I only saw that one time and never again. Most people just do it by modifying the file you mentioned.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This "hack" to crypt.def ensures the specified traffic is NOT encrypted (i.e. sent through VPN) and it should be sent according to the normal routing table.
Unfortunately, there isn't a cleaner way to do this currently.
And, because you're talking SMB gateways, make sure the change is made to the appropriate "Backward Compatibility" directory version of crypt.def.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a similar issue which is on location A I have a SMB Quantum spark running 80.20.50 which has established IPsec tunnel to location B which is a Cluster of 3600 appliances. All traffic is routed through center which is cluster. On location A I have a device with local IP 192.168.15.245 which traffic should not be going through tunnel but directly to internet from location A.
How should I write my crypt.def ?
#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.15.245)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif
Looking forward to your reply,
Klemen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Klemen, as per above we did this successfully for one of our clients, I'll see if I can get a sanitized copy and post it here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
should I open new ticket or are you still trying to get sanitized copy ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Klemen,
This is what we used (need was to exclude SMTP traffic from a specific host from the tunnel):
#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=192.168.10.10,dport=25)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif
Also refer to the below to SK's (depending on the gateway platform you need to modify different files on the SMS etc.)
Thanks,
Ruan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
does anyone know the possible syntax? I need to exlude several networks and working just with "src=" and "dst=" and many many "or" in between leads to a very big crypt.def file! Usage of networks would be great.....
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The language used here is INSPECT, so it should be possible.
fw monitor uses the same syntax, and it’s described here: https://support.checkpoint.com/results/sk/sk30583
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checked so far - wildcard would have been the best option but seems not to work (like exclude all MPLS routers to check connectivity....10.190.*.1).
Also as I see no option to install specific rules only on specific gateways.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're changing an INSPECT macro.
I'm not aware of a way to make it different for different gateways short of manually maintaining it for each gateway.
A route-based VPN would probably be a better approach here since it can be affected through routing changes on the local gateway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it works perfectly with gaia gateways - just the added 1500 devices on R81.10 completely ignore the VPN exclustions in crypt.def.
File should be the same for all R81.10 gateways, right? $FWDIR/lib/crypt.def
Or is there a different syntax for the quantum spark series?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Different locations for Spark as far as I recall - I linked the SK's in a previous post.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thought from R81.20 Mgmt admin guide it should be $FWDIR/CPSFWR81CMP-R81.10/lib/crypt.def but changes here are not influencing quantum sparc behavior.....so I creates an SR.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is only for SMB gateways running R81.10.
For other firmware versions, you'll need a different path.