https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/79612#M11114 <P>Thanks&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;</P><P>I assumed this is a limitation but couldn't find a firm confirmation.</P><P>&nbsp;</P> Tue, 24 Mar 2020 21:28:44 GMT Alex_Shpilman 2020-03-24T21:28:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/78963#M11110 <P>Hi Checkmates,</P><P><BR />I'd like to setup MEP on remote access VPN for redundancy between 2 clusters in different locations, there is a WAN link between them.</P><P><BR />We also use each cluster as a proxy, with APPC, URLF and HTTPS inspection.</P><P>Currently, the remote access encryption domains are not overlapping at all.</P><P>When overlapping encryption domains are being configured (fully or partially), the gateway interfaces are being excluded from the topology and that's reflected on the client's routing table.</P><P><BR />As a result of this, we can't connect to the proxy while on VPN, can't ping any of the gateway interfaces either, services behind the gateways in both locations are accessible as expected.</P><P>I tried to configure interface alias or destination NAT to use an IP which is still in the routing table of the client but the gateway doesn't allow this as proxy.</P><P>We don't route all the traffic through the gateways while on VPN (i.e. split tunneling is being enabled) but the customer is keen still to run web traffic through the proxy.</P><P>Any ideas how to overcome this issue?&nbsp;</P><P>&nbsp;</P><P>Thanks.</P> Fri, 20 Mar 2020 11:39:48 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/78963#M11110 Alex_Shpilman 2020-03-20T11:39:48Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/79440#M11111 Maybe set up Squid on a VM for these remote users to connect to instead?<BR />Otherwise it’s an RFE to address I assume.<BR /> Mon, 23 Mar 2020 23:46:10 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/79440#M11111 PhoneBoy 2020-03-23T23:46:10Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/79441#M11112 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp; thanks for your response.</P><P>Can you confirm this is a known limitation?</P><P>I can place the proxy behind an F5, but wanted to explore all the option before doing so.</P> Mon, 23 Mar 2020 23:58:36 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/79441#M11112 Alex_Shpilman 2020-03-23T23:58:36Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/79608#M11113 Yes.<BR />This is implied by the fact that MEP is only supported when encryption domains fully overlap (either exactly the same or one is a proper subset of the other).<BR />See: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106837" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106837</A><BR />As gateway IPs are unique, and partially overlapping encryption domains aren't supported at all, it makes sense they are not included in the encryption domain. Tue, 24 Mar 2020 20:38:04 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/79608#M11113 PhoneBoy 2020-03-24T20:38:04Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/79612#M11114 <P>Thanks&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;</P><P>I assumed this is a limitation but couldn't find a firm confirmation.</P><P>&nbsp;</P> Tue, 24 Mar 2020 21:28:44 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-MEP-issue/m-p/79612#M11114 Alex_Shpilman 2020-03-24T21:28:44Z