VPN Communities - MEP
What can I do here?
Use this window to configure
- Multiple Entry Points (MEP) to the core network
- Tracking options
- Return packet routing
|
Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > VPN Communities > New Star Community > MEP
|
Multiple Entry Point
Overview of MEP
Multiple Entry Point (MEP) is a feature that provides a High Availability and Load Sharing solution for VPN connections. A Security Gateway on which the VPN module is installed provides a single point of entry to the internal network. It is the Security Gateway that makes the internal network "available" to remote machines. If a Security Gateway should become unavailable, the internal network too, is no longer available. A MEP environment has two or more Security Gateways both protecting and enabling access to the same VPN domain, providing peer Security Gateways with uninterrupted access.
VPN High Availability Using MEP or Clustering
Both MEP and Clustering are ways of achieving High Availability and Load Sharing. However:
- Unlike the members of a ClusterXL Security Gateway Cluster, there is no physical restriction on the location of MEP Security Gateways. MEP Security Gateways can be geographically separated machines. In a cluster, the clustered Security Gateways need to be in the same location, directly connected via a sync interface.
- MEP Security Gateways can be managed by different Security Management Server; cluster members must be managed by the same Security Management Server.
- In a MEP configuration there is no "state synchronization" between the MEP Security Gateways. In a cluster, all of the Security Gateways hold the "state" of all the connections to the internal network. If one of the Security Gateways fails, the connection passes seamlessly over (performs failover) to another Security Gateway, and the connection continues. In a MEP configuration, if a Security Gateway fails, the current connection is lost and one of the backup Security Gateways picks up the next connection.
- In a MEP environment, the decision which Security Gateway to use is taken on the remote side; in a cluster, the decision is taken on the Security Gateway side.
Implementation
MEP is implemented using RDP for Check Point Security Gateways and DPD for 3rd party Gateways / Cloud vendors.
- RDP is a proprietary Probing Protocol (PP) that sends special UDP RDP packets to port 259 to discover whether an IP is reachable. This protocol is proprietary to Check Point and does not conform to RDP as specified in RFC 908/1151.
Note - These UDP RDP packets are not encrypted, and only test the availability of a peer. - DPD is a different method that discovers whether an IP is reachable. It supports 3rd party Security Gateways / Cloud vendors based on IKEv1/IKEv2.
It is important to note that in MEP environments, no configuration is necessary. The gateway determines which protocol (RDP/DPD) to use automatically.
The peer continuously probes or polls all MEP Security Gateways in order to discover which of the Security Gateways are "up", and chooses a Security Gateway according to the configured selection mechanism. Since RDP/DPD packets are constantly being sent, the status of all Security Gateways is known and updated when changes occur. As a result, all Security Gateways that are "up" are known.
There are two available methods to implement MEP:
MEP Method
|
Description
|
Explicit MEP
|
Only Star communities with more than one central Security Gateway can enable explicit MEP.
This MEP method provides multiple entry points to the network behind the Security Gateways.
When available, Explicit MEP is the recommended method.
|
Implicit MEP
|
This MEP method is supported in all scenarios, where fully or partially overlapping encryption domains exist, or where Primary-Backup Security Gateways are configured.
|
Use these options to configure entry to the core network.
From the drop-down box, select the type of tracking required.
In some instances, more than one gateway is available in the center with no obvious priority between them. When this occurs, select how the gateway should be chosen, either by:
While MEP is used to determine which gateway to connect to, RIM (like IP Pool NAT) is used to correctly route return packets through the chosen gateway.
Return packets can be routed according to IP pool NAT, configured per gateway, or by using the route injection mechanism (RIM) configured in Tunnel Management.
An IP Pool is a range of IP addresses (an Address Range, a network or a group of one of these objects) routable to the gateway or gateway cluster.
