Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Giridhar_Sasidh
Participant

Multi Entry point configuration(MEP) addition into existing primary and secondary tunnel

Multi Entry point (MEP) with externally managed gateways as central gateways in star community..

 

Scenario:

Please go through the attached diagram..

Existing Tunnels primary from FW A to FW C

Secondary from FW B to  FW C

Presently using NAT ips to connect through secondary tunnel..

 

As client segment size has increased to /16 and NAT cannot be done and due to internal WAN conflicts new FW D is placed.

Requirement is to add a new FW D and build MEP to externally managed gateways FWs A and B  which has existing tunnel to communicate with Client FW C..

A and B are externally managed Gateways.. Is this possible to do it using MEP till hub location fws A and B for failover and after that take the existing tunnel from fw A and B ..PFA Diagram..

Please share some thoughts if anybody done MEP.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

Your diagram and your text contradict each other.

Your text above says GW A and B are externally managed

Firewall C is listed as an interoperable device in your diagram--which also implies externally managed.

Which gateways are managed by you in this diagram?

Is your expectation for hosts behind Firewall D to also reach hosts behind Firewall C through the VPN with A and B?

0 Kudos
Giridhar_Sasidh
Participant

Hi,

Thanks for the query..

Fw A,B and D are managed by us.. But unfortunately all 3 are in different managements.. means in 3 different managements..  A and B are hub location firewalls and have existing tunnels with an interoperable device..

So the requirement is to happen autofailover in tunnel towards A and B from FW D and reach FW C(managed out of organization)  without outage..

For firewall D gateway fw A and B are extenally managed gateways..

Hope this makes clear..


Thanks,

Giridhar

0 Kudos
PhoneBoy
Admin
Admin

Thanks, it makes it much clearer.

How is the VPN between A>C and B>C done today?

Is it done with route-based VPNs or are you using regular communities with fixed encryption domains?

0 Kudos
Giridhar_Sasidh
Participant

Hello,

A to C and B to C are regular fixed community vpns..

 As MEP probing is done using port 259... Does that port need to be enabled between gateways D and A also D and B.. ?


0 Kudos
PhoneBoy
Admin
Admin

I know MEP only works with Check Point VPN endpoints (which means it's not relevant for A>C or B>C).

What I don't know is whether or not it works with externally managed Check Point gateways.

In which case you may need to do this with route-based VPNs.

0 Kudos
Giridhar_Sasidh
Participant

It works with externally managed checkpoint gateways... Yes.. route based vpns are the only options with other vendors.. for autofailover..

0 Kudos