Monday, October 10, 2016

How to exlude some networks from VPN tunnel



In some case it’s necessary to exclude a networks (or single IP address) in VPN tunnel. It’s possible using the crypt.def file, placed on the Security Management Server.

On the Security Management Server there is no only one crypt.def file, but there is one for each version of firewall we need to make the change. To know the details please refer to the sk 98241.

First of all create a backup file with the following command (in expert mode)
[Expert@HostName]# cd $FWDIR/lib
[Expert@HostName]# cp $FWDIR/lib/crypt.def  $FWDIR/lib/crypt.def_BKP 
Then open the current “crypt.def” file
[Expert@HostName]# vi crypt.def 

At the end of file you find this string :

#ifndef NON_VPN_TRAFFIC_RULES
#define NON_VPN_TRAFFIC_RULES 0
#endif

We have to modify this row:

#define NON_VPN_TRAFFIC_RULES 0

If you want to exclude only IPv4 address, at the end of editing the file should look like this:

#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=IP_Address_Of_VPN_Peer)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif

If you want to exclude multiple IPv4 addresses

#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (src=IP1_Address_Of_VPN_Peer or src=IP2_Address_Of_VPN_Peer)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif

All the changes made in this file are transferred to the managed Security Gateway / Cluster during policy installation.
Posted by at

5 comments:

  1. sami sheikhDecember 27, 2017 at 7:55 AM

    Thanks for sharing this useful info..
    hide my ass vpn service

    ReplyDelete
  2. AkseosolutionsAugust 7, 2019 at 7:22 AM

    Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! torrenting without vpn

    ReplyDelete
  3. AkseosolutionsAugust 7, 2019 at 9:36 AM

    Great job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. discount spotify premium

    ReplyDelete
  4. UnknownSeptember 19, 2019 at 1:08 PM

    I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success in your business. anime torrents

    ReplyDelete
  5. Terri MeeksSeptember 21, 2019 at 1:49 AM

    I just found this blog and have high hopes for it to continue. Keep up the great work, its hard to find good ones. I have added to my favorites. Thank You. setup vpn iphone

    ReplyDelete

Subscribe to: Post Comments (Atom)