10 Jan, 2012
Exclude the external vpn peer from the L2L vpn traffic in a Checkpoint vpn community.
Posted by: admin In: Checkpoint
As we all now you can exclude services from the vpn community but if it’s for instance http and there is a possibility that we want to send http traffic through the vpn and also be able to
access the external parts external webserver that isn’t part of the vpn but just happends to use the vpn peers external interface. For instance because the external part only have one public ip. 
Not really an enterprise problem i suppose but anyway..
Tobias Lanchmann has written a great post on this and I’lll basically just add the important info below for reference. You can read the full post here.
Basically all we do is to exclude the vpn peer from the encryption domain (which actually includes the vpn peer itself for some strange reason.. Of course in secret)
Edit the file $FWDIR/lib/crypt.def on the Security Management and change the line
#define NON_VPN_TRAFFIC_RULES 0
to:
#define NON_VPN_TRAFFIC_RULES (dst= IP_Address_Of_VPN_Peer)
Please be aware that this is the way for version R70 and above.
If you have a R75 Security Management that is managing R70 or R71 gateways, you have to edit the file in the compatibility package directory instead.
/opt/CPR71CMP-R75/lib/crypt.def
If you have more than one vpn peer..
#define NON_VPN_TRAFFIC_RULES (dst=x.x.x.x or dst=y.y.y.y)
Thanks for sharing this Tobias.