This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Giridhar_Sasidh
Participant
‎2018-02-27 11:38 AM

Multi Entry point configuration(MEP) addition into existing primary and secondary tunnel

Multi Entry point (MEP) with externally managed gateways as central gateways in star community..

 

Scenario:

Please go through the attached diagram..

Existing Tunnels primary from FW A to FW C

Secondary from FW B to  FW C

Presently using NAT ips to connect through secondary tunnel..

 

As client segment size has increased to /16 and NAT cannot be done and due to internal WAN conflicts new FW D is placed.

Requirement is to add a new FW D and build MEP to externally managed gateways FWs A and B  which has existing tunnel to communicate with Client FW C..

A and B are externally managed Gateways.. Is this possible to do it using MEP till hub location fws A and B for failover and after that take the existing tunnel from fw A and B ..PFA Diagram..

Please share some thoughts if anybody done MEP.

Preview file
52 KB
0 Kudos
Reply
6 Replies
PhoneBoy
Admin
Admin
‎2018-03-02 07:21 PM

Your diagram and your text contradict each other.

Your text above says GW A and B are externally managed

Firewall C is listed as an interoperable device in your diagram--which also implies externally managed.

Which gateways are managed by you in this diagram?

Is your expectation for hosts behind Firewall D to also reach hosts behind Firewall C through the VPN with A and B?

0 Kudos
Reply
Giridhar_Sasidh
Participant
‎2018-03-02 10:16 PM
In response to PhoneBoy

Hi,

Thanks for the query..

Fw A,B and D are managed by us.. But unfortunately all 3 are in different managements.. means in 3 different managements..  A and B are hub location firewalls and have existing tunnels with an interoperable device..

So the requirement is to happen autofailover in tunnel towards A and B from FW D and reach FW C(managed out of organization)  without outage..

For firewall D gateway fw A and B are extenally managed gateways..

Hope this makes clear..


Thanks,

Giridhar

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-03-03 01:47 PM
In response to Giridhar_Sasidh

Thanks, it makes it much clearer.

How is the VPN between A>C and B>C done today?

Is it done with route-based VPNs or are you using regular communities with fixed encryption domains?

0 Kudos
Reply
Giridhar_Sasidh
Participant
‎2018-03-04 12:40 AM
In response to PhoneBoy

Hello,

A to C and B to C are regular fixed community vpns..

 As MEP probing is done using port 259... Does that port need to be enabled between gateways D and A also D and B.. ?


0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-03-04 08:55 AM
In response to Giridhar_Sasidh

I know MEP only works with Check Point VPN endpoints (which means it's not relevant for A>C or B>C).

What I don't know is whether or not it works with externally managed Check Point gateways.

In which case you may need to do this with route-based VPNs.

0 Kudos
Reply
Giridhar_Sasidh
Participant
‎2018-04-02 10:04 PM

It works with externally managed checkpoint gateways... Yes.. route based vpns are the only options with other vendors.. for autofailover..

0 Kudos
Reply