topic Re: MEP only for selected gateways in SASE and Remote Access

MEP only for selected gateways

marcyn — Mon, 29 Apr 2024 18:00:13 GMT

Hi CheckMates,

Let's suppose we have one SMS which can manage 10 SGs.
We manage 6 of these SGs, and rest (4) are managed by 3rd party company (we see these gateways in SMS, but somebody else manages them, and they have their own LANs, DMZs, etc).

And now we decided that we want to add 2 more SGs that will act as VPN gateway for our remote users.

As we all know MEP is enabled by default, which we can of course change from "true" to "false" or "client_decide".

So if MEP is set as "true" ... what will remote user see after he will add new site in Check Point Mobile/Endpoint Connect ?
Soon after first connection topology will be downloaded from this VPN gateway and on next connection user will see a new option - select box - where he will see EACH AND EVERY gateway that are in RemoteAccess VPN Community.
If there will be only these newly added VPN gateways - he will see only these two.

But what if administrator from this 3rd party organisation will enable IPSec VPN blade and add one or more of these 4 SGs to the RemoteAccess VPN Community ?
Our remote users will see our 2 VPN gateways ... and these gateways of 3rd party organisation in this select box ... and 3rd party organisation remote users will see theirs gatewa ... and our 2 VPN gateways...

Two questions:
1) Do you know if there is some option to "filter" which gateways could be chosen by remote users for MEP (so that ours remote users should see only our 2 VPN gateway, and remote users from 3rd party organisation should see only theirs 4 gateways) ?
I was thinking about trac_client_1.ttm file ... but I don't see anything about that...
However I know that this file doesn't contain everything ... for example if you want to allow remote users to exclude localy connected networks from Hub Mode ... you need to add special entry to this file.
So perhabs there is something similar regarding MEP ?
Eh... if we could have more then one RemoteAccess VPN Community .... but we can't 😞

2) Even if Customer will select one particular gateway from this select box ... client's application connects to different gateway (each and every time it is the first one from the list) - even that I have option "client_decide" in "automatic_mep_topology".
How can I change that. It looks like as if "client_decide" for "mep_mode" is the same as "first_to_respond"...
Or maybe each Customer should change file C:\Program Files (x86)\CheckPoint\Endpoint Connect\trac.defaults regarding MEP .... it would be absurd.

Excerpt from $FWDIR/conf/trac_client_1.ttm:

(...) :mep_mode ( :gateway ( :map ( :dns_based (dns_based) :first_to_respond (first_to_respond) :primary_backup (primary_backup) :load_sharing (load_sharing) :client_decide (client_decide) ) :default (client_decide) ) ) (...) (...) :automatic_mep_topology ( :gateway ( :map ( :false (false) :true (true) :client_decide (client_decide) ) :default (true) ) ) (...)

As you can see these are default settings.

I can understand that with "automatic_mep_topology" selected as "true" client's application will not be able to select gateway - this choice will be done "automatically" based on some parameters.
But if this option will be changed to "client_decide" ... in my opinion gateway that will be chosen, should be this one selected from select box by the user ....

What do you think ?

--
Best
m.

Re: MEP only for selected gateways

the_rock — Mon, 29 Apr 2024 18:13:10 GMT

Thats exactly how it works with that option client_decide, they would be given a choice when connecting.

Andy

Re: MEP only for selected gateways

marcyn — Mon, 29 Apr 2024 18:18:38 GMT

Hi Andy,

Yup ... they are ... but as I described I don't want them to see each and every gateway that is added to RemoteAccess VPN Community 🙂
And ... maybe they have this option ... but it doesn't matter which gateway they will choose ... application will connect to the first gateway on the list anyway 🙂

--
Best
m.

Re: MEP only for selected gateways

the_rock — Mon, 29 Apr 2024 19:10:10 GMT

Wait, maybe I misunderstood. in case you do NOT want users to see the gateways, just choose whichever is deemed as primary, then choose option automatic mep topology to true, as per below, depending if its implicit or manual MEP.

Andy

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuide/html_frameset.htm?topic=documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuide/164758

Re: MEP only for selected gateways

marcyn — Mon, 29 Apr 2024 18:27:42 GMT

Hi Andy,

Ah yes ... I completely forgot about manual mode for MEP ...

I will try this one:

Under mep_mode, change default (client_decide) to default(first_to_respond). Under ips_of_gws_in_mep, change default (client_decide) to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>). For example, default(192.168.20.250&#192.168.20.240&#).

It looks like it could be the option that I'm looking for ... "ips_of_gws_in_mep" 🙂

I will let you know if it will work

--
Best
m.

Re: MEP only for selected gateways

the_rock — Mon, 29 Apr 2024 18:28:44 GMT

Yep, thats it!

Sure, hope it works.

Andy

Re: MEP only for selected gateways

marcyn — Mon, 29 Apr 2024 19:06:52 GMT

Yes,
I confirm this is it !

Again ... completely forgot about manual MEP .... ehh 🙂

So in case anybody will have the same "problem" - choose Manual MEP 🙂

Thanks Andy.

--
Best
m.

Re: MEP only for selected gateways

the_rock — Mon, 29 Apr 2024 19:11:13 GMT

FYFOC = for you, free of charge 😉

Best,

Andy