Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Giridhar_Sasidh
Participant

Multi Entry point configuration(MEP) addition into existing primary and secondary tunnel

Multi Entry point (MEP) with externally managed gateways as central gateways in star community..

 

Scenario:

Please go through the attached diagram..

Existing Tunnels primary from FW A to FW C

Secondary from FW B to  FW C

Presently using NAT ips to connect through secondary tunnel..

 

As client segment size has increased to /16 and NAT cannot be done and due to internal WAN conflicts new FW D is placed.

Requirement is to add a new FW D and build MEP to externally managed gateways FWs A and B  which has existing tunnel to communicate with Client FW C..

A and B are externally managed Gateways.. Is this possible to do it using MEP till hub location fws A and B for failover and after that take the existing tunnel from fw A and B ..PFA Diagram..

Please share some thoughts if anybody done MEP.

6 Replies
PhoneBoy
Admin
Admin

Your diagram and your text contradict each other.

Your text above says GW A and B are externally managed

Firewall C is listed as an interoperable device in your diagram--which also implies externally managed.

Which gateways are managed by you in this diagram?

Is your expectation for hosts behind Firewall D to also reach hosts behind Firewall C through the VPN with A and B?

Giridhar_Sasidh
Participant

Hi,

Thanks for the query..

Fw A,B and D are managed by us.. But unfortunately all 3 are in different managements.. means in 3 different managements..  A and B are hub location firewalls and have existing tunnels with an interoperable device..

So the requirement is to happen autofailover in tunnel towards A and B from FW D and reach FW C(managed out of organization)  without outage..

For firewall D gateway fw A and B are extenally managed gateways..

Hope this makes clear..


Thanks,

Giridhar

PhoneBoy
Admin
Admin

Thanks, it makes it much clearer.

How is the VPN between A>C and B>C done today?

Is it done with route-based VPNs or are you using regular communities with fixed encryption domains?

Giridhar_Sasidh
Participant

Hello,

A to C and B to C are regular fixed community vpns..

 As MEP probing is done using port 259... Does that port need to be enabled between gateways D and A also D and B.. ?


PhoneBoy
Admin
Admin

I know MEP only works with Check Point VPN endpoints (which means it's not relevant for A>C or B>C).

What I don't know is whether or not it works with externally managed Check Point gateways.

In which case you may need to do this with route-based VPNs.

Giridhar_Sasidh
Participant

It works with externally managed checkpoint gateways... Yes.. route based vpns are the only options with other vendors.. for autofailover..

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events