This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jerry
Mentor
Mentor
‎2018-12-18 02:30 AM
Jump to solution

VPN Exclusions (made inside $FWDIR/lib/crypt.def) does not work

ok. here is a proper update for you all, should anyone knows what a heck I'm doing wrong (*wink*) - do let me know Smiley Happy

obviously I was following IN DETAIL sk86582 but,:

exec ping 10.10.10.1 (from Fortigate CLI on 10.10.10.4)

5 packets transmitted, 0 packets received, 100% packet loss

 

whilst on zdebug on CP Cluster:

 

;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=1 10.10.10.4:2048 -> 10.10.10.1:5649 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

 

when $FWDIR/lib/crypt.def (on SMS + successfuly pushed is like following:

 

vpn_exclude_src1={<192.168.16.0,192.168.16.254>};

vpn_exclude_dst1={<a.a.a.1,a.a.a.254>};

vpn_exclude_src2={<10.10.10.0,10.10.10.255>};

vpn_exclude_dst2={<10.10.10.0,10.10.10.255>};

vpn_exclude_src3={<a.a.a.1,a.a.a.254>};

vpn_exclude_dst3={<192.168.16.0,192.168.16.254>};

 

with following in a proper place as well:

 

((src in vpn_exclude_src1) and (dst in vpn_exclude_dst1)) and ((src in vpn_exclude_src2) and (dst in vpn_exclude_dst2)) and ((src in vpn_exclude_src3) and (dst in vpn_exclude_dst3))

 

ps. all in right space, spot and policy installed - just simply DOES NOT WORK and I cannot ping whatever direction I'll take based on the exclude_objects from above.

any clue chaps ?

Jerry
0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2018-12-18 02:58 AM
Jump to solution

Most common mistake possible here is not to use the corresponding file as found in sk98241 - but yours looks like you missunderstood the AND - how should that match to anything ? Depending on the criteria you want, an OR would be best...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
7 Replies
Danny
Champion Champion
Champion
‎2018-12-18 02:54 AM
Jump to solution

You could check your VPN routing with our https://community.checkpoint.com/docs/DOC-2214-common-check-point-commands-ccc script.

G_W_Albrecht
Legend Legend
Legend
‎2018-12-18 02:58 AM
Jump to solution

Most common mistake possible here is not to use the corresponding file as found in sk98241 - but yours looks like you missunderstood the AND - how should that match to anything ? Depending on the criteria you want, an OR would be best...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jerry
Mentor
Mentor
‎2018-12-18 03:03 AM
In response to G_W_Albrecht
Jump to solution

Thanks. You mean like this?:

((src in vpn_exclude_src1) and (dst in vpn_exclude_dst1)) or ((src in vpn_exclude_src2) and (dst in vpn_exclude_dst2)) or ((src in vpn_exclude_src3) and (dst in vpn_exclude_dst3))

Jerry
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-12-18 04:10 AM
In response to Jerry
Jump to solution

Look into the sk - it is either / or, but AND means all criteria are true, that is impossible...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Jerry
Mentor
Mentor
‎2018-12-18 04:31 AM
In response to G_W_Albrecht
Jump to solution

Danke Smiley Happy all works like a charm now. indeed ÖRs made it a whole better LOL

Thanks chaps!

ps. @Danny - CCC is as always on most of my "Customers' SG/SMS devices so no panic, I've checked that before I posted here Smiley Happy Thanks for heads up!

Jerry
G_W_Albrecht
Legend Legend
Legend
‎2018-12-18 04:39 AM
In response to Jerry
Jump to solution

So mark my post as the correct answer, please 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
AntonMakarychev
Contributor
Contributor
‎2019-10-24 06:45 AM
Jump to solution

Hello!

I have static route to some IP - 10.x.x.x

Also this IP has peer in its VPN Domain. With this peer I have Site-to-Site VPN.

If I exclude this IP from VPN using crypt.def will I get to the IP using static route or the route will be through VPN just in clear text?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events