- CheckMates
- :
- Products
- :
- General Topics
- :
- Multi Entry point configuration(MEP) addition into...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multi Entry point configuration(MEP) addition into existing primary and secondary tunnel
Multi Entry point (MEP) with externally managed gateways as central gateways in star community..
Scenario:
Please go through the attached diagram..
Existing Tunnels primary from FW A to FW C
Secondary from FW B to FW C
Presently using NAT ips to connect through secondary tunnel..
As client segment size has increased to /16 and NAT cannot be done and due to internal WAN conflicts new FW D is placed.
Requirement is to add a new FW D and build MEP to externally managed gateways FWs A and B which has existing tunnel to communicate with Client FW C..
A and B are externally managed Gateways.. Is this possible to do it using MEP till hub location fws A and B for failover and after that take the existing tunnel from fw A and B ..PFA Diagram..
Please share some thoughts if anybody done MEP.
- Tags:
- site to site vpn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your diagram and your text contradict each other.
Your text above says GW A and B are externally managed
Firewall C is listed as an interoperable device in your diagram--which also implies externally managed.
Which gateways are managed by you in this diagram?
Is your expectation for hosts behind Firewall D to also reach hosts behind Firewall C through the VPN with A and B?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the query..
Fw A,B and D are managed by us.. But unfortunately all 3 are in different managements.. means in 3 different managements.. A and B are hub location firewalls and have existing tunnels with an interoperable device..
So the requirement is to happen autofailover in tunnel towards A and B from FW D and reach FW C(managed out of organization) without outage..
For firewall D gateway fw A and B are extenally managed gateways..
Hope this makes clear..
Thanks,
Giridhar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, it makes it much clearer.
How is the VPN between A>C and B>C done today?
Is it done with route-based VPNs or are you using regular communities with fixed encryption domains?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
A to C and B to C are regular fixed community vpns..
As MEP probing is done using port 259... Does that port need to be enabled between gateways D and A also D and B.. ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know MEP only works with Check Point VPN endpoints (which means it's not relevant for A>C or B>C).
What I don't know is whether or not it works with externally managed Check Point gateways.
In which case you may need to do this with route-based VPNs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works with externally managed checkpoint gateways... Yes.. route based vpns are the only options with other vendors.. for autofailover..
![](/skins/images/84DAB6BD358ECB13CE1094473F6E2961/responsive_peak/images/icon_anonymous_message.png)