This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex_Shpilman
Collaborator
‎2020-03-20 04:39 AM
Jump to solution

Remote Access VPN MEP issue

Hi Checkmates,


I'd like to setup MEP on remote access VPN for redundancy between 2 clusters in different locations, there is a WAN link between them.


We also use each cluster as a proxy, with APPC, URLF and HTTPS inspection.

Currently, the remote access encryption domains are not overlapping at all.

When overlapping encryption domains are being configured (fully or partially), the gateway interfaces are being excluded from the topology and that's reflected on the client's routing table.


As a result of this, we can't connect to the proxy while on VPN, can't ping any of the gateway interfaces either, services behind the gateways in both locations are accessible as expected.

I tried to configure interface alias or destination NAT to use an IP which is still in the routing table of the client but the gateway doesn't allow this as proxy.

We don't route all the traffic through the gateways while on VPN (i.e. split tunneling is being enabled) but the customer is keen still to run web traffic through the proxy.

Any ideas how to overcome this issue? 

 

Thanks.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-03-24 01:38 PM
In response to Alex_Shpilman
Jump to solution

Yes.
This is implied by the fact that MEP is only supported when encryption domains fully overlap (either exactly the same or one is a proper subset of the other).
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
As gateway IPs are unique, and partially overlapping encryption domains aren't supported at all, it makes sense they are not included in the encryption domain.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-03-23 04:46 PM
Jump to solution

Maybe set up Squid on a VM for these remote users to connect to instead?
Otherwise it’s an RFE to address I assume.
0 Kudos
Alex_Shpilman
Collaborator
‎2020-03-23 04:58 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy  thanks for your response.

Can you confirm this is a known limitation?

I can place the proxy behind an F5, but wanted to explore all the option before doing so.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-24 01:38 PM
In response to Alex_Shpilman
Jump to solution

Yes.
This is implied by the fact that MEP is only supported when encryption domains fully overlap (either exactly the same or one is a proper subset of the other).
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
As gateway IPs are unique, and partially overlapping encryption domains aren't supported at all, it makes sense they are not included in the encryption domain.
0 Kudos
Alex_Shpilman
Collaborator
‎2020-03-24 02:28 PM
In response to PhoneBoy
Jump to solution

Thanks @PhoneBoy 

I assumed this is a limitation but couldn't find a firm confirmation.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events