I have been reviewing the 80.20 Remote Access VPN Admin guide to try and understand MEP and I am confused about the best way to proceed.
We have a gateway at head office configured with Mobile Access and IP Sec VPN.
It provides Office mode address to Check Point Mobile for Windows clients. This is working fine.
We have now configured a new gateway at a second office. We want this to be used if the internet link at head office fails.
The offices are connected via a WAN link. The Remote Access VPN Domains overlap/are the same.
The moment the second gateway was up and configured we started to see some clients connect via it instead of head office.
I think this is Implicit - First to Respond at work.
Both gateways are configured for Visitor Mode.
I have tried disabling MEP but we are still seeing some clients connect via the second site.
"To disable MEP, set the following command to true in DBedit, the Check Point database tool:
- desktop_disable_mep
- When MEP is disabled, MEP RDP probing and fail over are not be performed. As a result, remote hosts connect to the Security Gateway defined without considering the MEP configuration. Remote Access clients use Visitor Mode instead of RDP to probe gateways."
Ideally I would prefer to set Primary-Backup but I am finding this next set of instructions regarding the backup gateway configuration confusing:
Primary-Backup
To configure Implicit Primary-Backup:
- From Menu, click Global Properties.
- From the navigation tree, click VPN > Advanced.
- Click Enable Backup Gateway.
- Click OK.
- Publish the changes.
To configure the backup gateway settings:
- Click Gateways & Servers and double-click the primary Security Gateway.
The gateway window opens and shows the General Properties page.
- From the navigation tree, click IPsec VPN.
- Click Use Backup Gateways.
- From the drop-down menu, select the backup gateway.
- Determine if the backup gateway uses its own VPN domain.
- To configure the backup gateway without a VPN domain of its own:
- Double-click the Security Gateway and from the navigation tree click Network Management > VPN Domain.
- Click Manually defined.
- Click the field and select the group or network that contains only the backup gateway
- Click OK and publish the changes.
- To configure the backup gateway that DOES have a VPN domain of its own:
- Make sure that the IP address of the backup gateway is not included in the VPN domain of the primary gateway.
- For each backup gateway, define a VPN domain that does not overlap with the VPN domain of the other backup gateways.
8. Configure IP pool NAT or Hide NAT to handle return packets.
For our scenario, where the gateways are linked by an internal WAN and hence have the same overlapping VPN domain, do I use option 6 and select just the gateway object as the VPN domain on the backup gateway?
And if we are using Office Mode with an Office Mode range for each gateway with our internal routing configured can we ignore step 8 and remove NAT from Office mode?
Thanks
Pedro