VPN Communities - MEP
What can I do here?
Use this window to configure
- Multiple Entry Points (MEP) to the core network
- Tracking options
- Return packet routing
|
Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > VPN Communities > New Star Community > MEP
|
Multiple Entry Point
Overview of MEP
Multiple Entry Point (MEP) is a feature that provides a High Availability and Load Sharing solution for VPN connections. A Security Gateway on which the VPN module is installed provides a single point of entry to the internal network. It is the Security Gateway that makes the internal network "available" to remote machines. If a Security Gateway should become unavailable, the internal network too, is no longer available. A MEP environment has two or more Security Gateways both protecting and enabling access to the same VPN domain, providing peer Security Gateways with uninterrupted access.
VPN High Availability Using MEP or Clustering
Both MEP and Clustering are ways of achieving High Availability and Load Sharing. However:
- Unlike the members of a ClusterXL Security Gateway Cluster, there is no physical restriction on the location of MEP Security Gateways. MEP Security Gateways can be geographically separated machines. In a cluster, the clustered Security Gateways need to be in the same location, directly connected via a sync interface.
- MEP Security Gateways can be managed by different Security Management Server; cluster members must be managed by the same Security Management Server.
- In a MEP configuration there is no "state synchronization" between the MEP Security Gateways. In a cluster, all of the Security Gateways hold the "state" of all the connections to the internal network. If one of the Security Gateways fails, the connection passes seamlessly over (performs failover) to another Security Gateway, and the connection continues. In a MEP configuration, if a Security Gateway fails, the current connection is lost and one of the backup Security Gateways picks up the next connection.
- In a MEP environment, the decision which Security Gateway to use is taken on the remote side; in a cluster, the decision is taken on the Security Gateway side.
Implementation
MEP is implemented via a proprietary Probing Protocol (PP) that sends special UDP RDP packets to port 259 to discover whether an IP is reachable. This protocol is proprietary to Check Point and does not conform to RDP as specified in RFC 908/1151.
|
Note - These UDP RDP packets are not encrypted, and only test the availability of a peer.
|
The peer continuously probes or polls all MEP Security Gateways in order to discover which of the Security Gateways are "up", and chooses a Security Gateway according to the configured selection mechanism. Since RDP packets are constantly being sent, the status of all Security Gateways is known and updated when changes occur. As a result, all Security Gateways that are "up" are known.
There are two available methods to implement MEP:
- Explicit MEP - Only Star communities with more than one central Security Gateway can enable explicit MEP, providing multiple entry points to the network behind the Security Gateways. When available, Explicit MEP is the recommended method.
- Implicit MEP - Implicit MEP is supported in all scenarios where fully or partially overlapping encryption domains exist or where Primary-Backup Security Gateways are configured. When upgrading from a version prior to NGX (R60) where Implicit MEP was already configured, the settings previously configured will remain.
Routing Return Packets
To make sure return packets are routed correctly, the MEP Security Gateway can make use of either of these:
- IP Pool NAT (Static NAT)
- Route Injection Mechanism (RIM)
Multiple Entry Point - Options
Use these options to configure entry to the core network.
- Select the closest gateway to source (First to respond). If "first to respond" is the chosen mechanism, then the first MEPed gateway to respond to the satellites probing RDP packets becomes the chosen gateway. Subsequent connections pass through the chosen gateway
- Select the closest gateway to destination (By VPN domain). An extension to the traditional Primary-backup MEP configuration. Before the MEP unification, the destination IP belonged to a particular VPN domain. The gateway of that domain becomes the chosen entry point. This gateway becomes the primary gateway while other gateways in the MEP become its backup gateways.
- Random Selection (for Load distribution). To distribute the load, and prevent any one gateway from being flooded, connections can be evenly shared amongst all the gateways in the MEP configuration. When all gateways share equal priority (no primary) and are MEPed to the same VPN domain, a gateway is randomly chosen as the entry point to the network for each pair of source/destination IP addresses.
- Manually set priority list (MEP rules). Which gateway will be chosen as the entry point to the core network can be controlled by manually setting a priority per source gateway. Each priority constitutes a MEP Rule. Click Set... to configure the rules
Tracking fields
From the drop-down box, select the type of tracking required.
Multiple Entry Point - Advanced
In some instances, more than one gateway is available in the center with no obvious priority between them. When this occurs, select how the gateway should be chosen, either by:
- First to respond
- Random Selection
Return Packet Routing
While MEP is used to determine which gateway to connect to, RIM (like IP Pool NAT) is used to correctly route return packets through the chosen gateway.
Return packets can be routed according to IP pool NAT, configured per gateway, or by using the route injection mechanism (RIM) configured in Tunnel Management.
IP Pool NAT
An IP Pool is a range of IP addresses (an Address Range, a network or a group of one of these objects) routable to the gateway or gateway cluster.
IP Pool NAT ensures proper routing for two connection scenarios:
- SecuRemote/SecureClient to MEPed (Multiple Entry Point) gateways.
- Gateway to MEP gateways.
To configure IP pool NAT:
- In Global Properties > NAT page, select Enable IP Pool NAT.
- Set tracking options for address exhaustion and for address allocation and release. Then:
- For each gateway, create a network object that represents the IP pool NAT addresses for that gateway. The IP pool can be a network, group, or address range. For example:
- On the network objects tree, right-click Network Objects branch > New > Address Range... The Address Range Properties window opens.
- On the General tab, enter the first IP and last IP of the address range.
- Click OK. In the network objects tree, Address Ranges branch, the new address range appears.
- On the gateway object where IP pool NAT translation is performed, Gateway Properties window, NAT > IP Pool NAT page, select either
- Allocate IP Addresses from, and select the address range you created, OR
- Define IP Pool addresses on gateway interfaces. If you choose this option, you need to define the IP Pool on each required interface, in the Interface Properties window, IP Pool NAT tab.
- In the IP Pool NAT page, select either (or both):
- Use IP Pool NAT for VPN client connections
- Use IP Pool NAT for gateway to gateway connections
- Click Advanced...
- Decide after how many minutes unused addressees are returned to the IP pool.
- Click OK twice.
- Edit the routing table of each internal router, so that packets with an a IP address assigned from the NAT pool are routed to the appropriate gateway.
IP pool NAT for Clusters
- In the gateway cluster object NAT > IP Pool NAT page, choose the connection scenario.
- In the cluster member object IP Pool NAT page, define the IP Pool on the cluster member. A separate IP pool must be configured for each cluster member. It is not possible to define a separate IP Pool for each cluster member interface.
Configuring IP Pool NAT
- In Global Properties > NAT page, select Enable IP Pool NAT.
- Set tracking options for address exhaustion and for address allocation and release. Then:
- For each gateway, create a network object that represents the IP pool NAT addresses for that gateway. The IP pool can be a network, group, or address range. For example:
- On the network objects tree, right-click Network Objects branch > New > Address Range... The Address Range Properties window opens.
- On the General tab, enter the first IP and last IP of the address range.
- Click OK. In the network objects tree, Address Ranges branch, the new address range appears.
- On the gateway object where IP pool NAT translation is performed, Gateway Properties window, NAT > IP Pool NAT page, select either
- Allocate IP Addresses from, and select the address range you created, OR
- Define IP Pool addresses on gateway interfaces. If you choose this option, you need to define the IP Pool on each required interface, in the Interface Properties window, IP Pool NAT tab.
- In the IP Pool NAT page, select either (or both):
- Use IP Pool NAT for VPN client connections
- Use IP Pool NAT for gateway to gateway connections
- Click Advanced.
- Decide after how many minutes unused addressees are returned to the IP pool.
- Click OK twice.
- Edit the routing table of each internal router, so that packets with an a IP address assigned from the NAT pool are routed to the appropriate gateway.
IP Pool NAT for Clusters
- In the gateway cluster object NAT > IP Pool NAT page, choose the connection scenario.
- In the cluster member object IP Pool NAT page, define the IP Pool on the cluster member. A separate IP pool must be configured for each cluster member. It is not possible to define a separate IP Pool for each cluster member interface.
