As we all now you can exclude services from the vpn community but if it’s for instance http and there is a possibility that we want to send http traffic through the vpn and also be able to
access the external parts external webserver that isn’t part of the vpn but just happends to use the vpn peers external interface. For instance because the external part only have one public ip. 
Not really an enterprise problem i suppose but anyway..
Tobias Lanchmann has written a great post on this and I’lll basically just add the important info below for reference. You can read the full post here.
Basically all we do is to exclude the vpn peer from the encryption domain (which actually includes the vpn peer itself for some strange reason.. Of course in secret)
Edit the file $FWDIR/lib/crypt.def on the Security Management and change the line
#define NON_VPN_TRAFFIC_RULES 0
to:
#define NON_VPN_TRAFFIC_RULES (dst= IP_Address_Of_VPN_Peer)
Please be aware that this is the way for version R70 and above.
If you have a R75 Security Management that is managing R70 or R71 gateways, you have to edit the file in the compatibility package directory instead.
/opt/CPR71CMP-R75/lib/crypt.def
If you have more than one vpn peer..
#define NON_VPN_TRAFFIC_RULES (dst=x.x.x.x or dst=y.y.y.y)
Thanks for sharing this Tobias.
These are the common steps to install the snmp library’s on your CentOs box.
I put it up just since I always forget the snmpconf command.
yum install net-snmp
yum install net-snmp-utils
snmpconf -g basic_setup
This will generate tyou’re /etc/snmp/snmpd.conf
Don’t forget to :
chkconfig snmpd on
service snmpd start
While at it , here’s some good commands regarding chkconfig:
chkconfig –list [name] [all is the one I'm using the most]
chkconfig –add name
chkconfig –del name
chkconfig [--level levels] name <on|off|reset>
chkconfig [--level levels] name
First of, I found this GREAT article at http://deepakarora1984.blogspot.com/2010/08/gre-tunnels-unleashed-making-breaking.html, it’s really good.
Thanks for explaining this for me Deepak.
GRE Tunnels Unleashed – Making , Breaking & Troubleshooting
Generic Routing Encapsulation (GRE) is a tunneling protocol
that can encapsulate a wide variety of network layer protocol
packet types inside an IP tunnels, creating a virtual point-to
-point link to various brands of routers at remote points over
an Internet Protocol (IP) internetwork.
It always kind of amazed me but in the beginning of my career in network I had lot of problems in understanding and configuring GRE tunnels.
Maybe the reason is that this topic is not very well documented on Cisco DOC cd – Atleast that’s what I think.
The problem for me was never to configure the tunnel itself but rather understanding how to choose tunnel source vs tunnel destination,
how GRE tunnels works from technology point of view, their benefits, their drawbacks,
understanding GRE keep-alive mechanism & what things can potentially cause problems with tunnels etc.
Some Tiny details before getting deeper:
GRE refers to IP protocol number type 47
RFC – 1702
Types – P2P, P2M (eg. – DMVPN – More Of a Security Topic)
So let’s begin with it and let me explain each of these things one by one.
How can we change the default 1024 bit CSR for i.e NetworkExtender.
We have an old R62 deployment and needed a new certficiate, they got rejected since they only were 1024..
What to do ?
Just go to Global Properties -> SmartDashboard Customination -> Configure -> Certificates and PKI properties.
There is an option to define the key size for the certificates. Default is 1024 BUT you can change it to 2048 and 4096 bits.