Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Remote Access VPN MEP issue

Jump to solution

Hi Checkmates,


I'd like to setup MEP on remote access VPN for redundancy between 2 clusters in different locations, there is a WAN link between them.


We also use each cluster as a proxy, with APPC, URLF and HTTPS inspection.

Currently, the remote access encryption domains are not overlapping at all.

When overlapping encryption domains are being configured (fully or partially), the gateway interfaces are being excluded from the topology and that's reflected on the client's routing table.


As a result of this, we can't connect to the proxy while on VPN, can't ping any of the gateway interfaces either, services behind the gateways in both locations are accessible as expected.

I tried to configure interface alias or destination NAT to use an IP which is still in the routing table of the client but the gateway doesn't allow this as proxy.

We don't route all the traffic through the gateways while on VPN (i.e. split tunneling is being enabled) but the customer is keen still to run web traffic through the proxy.

Any ideas how to overcome this issue? 

 

Thanks.

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin
Yes.
This is implied by the fact that MEP is only supported when encryption domains fully overlap (either exactly the same or one is a proper subset of the other).
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
As gateway IPs are unique, and partially overlapping encryption domains aren't supported at all, it makes sense they are not included in the encryption domain.

View solution in original post

0 Kudos
4 Replies
Highlighted
Admin
Admin
Maybe set up Squid on a VM for these remote users to connect to instead?
Otherwise it’s an RFE to address I assume.
0 Kudos
Highlighted

@PhoneBoy  thanks for your response.

Can you confirm this is a known limitation?

I can place the proxy behind an F5, but wanted to explore all the option before doing so.

0 Kudos
Highlighted
Admin
Admin
Yes.
This is implied by the fact that MEP is only supported when encryption domains fully overlap (either exactly the same or one is a proper subset of the other).
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
As gateway IPs are unique, and partially overlapping encryption domains aren't supported at all, it makes sense they are not included in the encryption domain.

View solution in original post

0 Kudos
Highlighted

Thanks @PhoneBoy 

I assumed this is a limitation but couldn't find a firm confirmation.

 

0 Kudos