Multiple Entry Point (MEP) VPNs

Overview of MEP

Multiple Entry Point (MEP) is a feature that provides a High Availability and Load Sharing solution for VPN connections. A Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. on which the VPN module is installed provides a single point of entry to the internal network. It is the Security Gateway that makes the internal network "available" to remote machines. If a Security Gateway should become unavailable, the internal network too, is no longer available. A MEP environment has two or more Security Gateways both protecting and enabling access to the same VPN domain, providing peer Security Gateways with uninterrupted access.

VPN High Availability Using MEP or Clustering

Both MEP and Clustering are ways of achieving High Availability and Load Sharing.

However:

Implementation

MEP is implemented using RDP for Check Point Security Gateways and DPD for 3rd party Gateways / Cloud vendors.

  • RDP is a proprietary Probing Protocol (PP) that sends special UDP RDP packets to port 259 to discover whether an IP is reachable. This protocol is proprietary to Check Point and does not conform to RDP as specified in RFC 908 / RFC 1151.
    Note - These UDP RDP packets are not encrypted, and only test the availability of a peer.

  • DPD is a different method that discovers whether an IP is reachable. It supports 3rd party Security Gateways / Cloud vendors based on IKEv1/IKEv2.

Note -In an MEP environment, a Security Gateway determines which protocol to use automatically.

It is important to note that in MEP environments, no configuration is necessary. The Security Gateway determines which protocol (RDP/DPD) to use automatically.

The peer continuously probes or polls all MEP Security Gateways in order to discover which of the Security Gateways are "up", and chooses a Security Gateway according to the configured selection mechanism. Since RDP/DPD packets are constantly being sent, the status of all Security Gateways is known and updated when changes occur. As a result, all Security Gateways that are "up" are known.

There are two available methods to implement MEP:

MEP Method

Description

Explicit MEP

Only Star communities with more than one central Security Gateway can enable explicit MEP.

This MEP method provides multiple entry points to the network behind the Security Gateways.

When available, Explicit MEP is the recommended method.

Implicit MEP

This MEP method is supported in all scenarios, where fully or partially overlapping encryption domains exist, or where Primary-Backup Security Gateways are configured.

Explicit MEP

In a Site To Site Star VPN community, explicit MEP is configured in the VPN community object. When MEP is enabled, the satellites consider the "unified" VPN domain of all the Security Gateways as the VPN domain for each Security Gateway. This unified VPN domain is considered the VPN domain of each Security Gateway:

In the figure, a Star VPN community has two central Security Gateways, M1 and M2 (for which MEP has been enabled), and three satellite Security Gateways - S1, S2, and S3. When S2 opens a connection with Host-1 (which is behind M1 and M2), the session is initiated through either M1 or M2. Priority among the MEP Security Gateways is determined by the MEP entry point selection mechanism.

If M2 is the selected entry point and becomes unavailable, the connection to Host-1 fails over to M1. Returning packets will be rerouted with RIM or IP Pool NAT. For more information about returning packets, see the section "Routing Return Packets".

There are four methods used to choose which of the Security Gateways will be used as the entry point for any given connection:

Method

Description

Select the closest Security Gateway to source

First to respond

Select the closest Security Gateway to destination

By VPN domain

Random selection

For Load distribution

Manually set priority list

MEP rules

If you select either By VPN domain , or Manually set priority list, then Advanced options provide additional granularity.

MEP Selection Methods

MEP Selection Method

Description

First to Respond

The first Security Gateway to reply to the peer Security Gateway is chosen.

An organization would choose this option if, for example, the organization has two Security Gateways in a MEP configuration - one in London, the other in New York.

It makes sense for VPN peers located in England to try the London Security Gateway first and the NY Security Gateway second.

Being geographically closer to the peers in England, the London Security Gateway will be the first to respond, and becomes the entry point to the internal network.

See Overview of the "First to Respond" method.

VPN Domain

If the destination IP address belongs to a particular VPN domain, the Security Gateway of that domain becomes the chosen entry point.

This Security Gateway becomes the Primary Security Gateway, while other Security Gateways in the MEP configuration become its Backup Security Gateways.

See Overview of the "By VPN Domain" method.

Random Selection

The remote peer randomly selects a Security Gateway, with which to open a VPN connection.

For each source/destination IP address pair, a new Security Gateway is randomly selected.

An organization might have a number of Security Gateways with equal performance abilities. In this case, it makes sense to enable load distribution to use these Security Gateways in a random and equal way.

See Overview of the "Random Selection" method.

Manually set priority list

Priorities of Security Gateways can be set manually for the entire VPN community, or for individual satellite Security Gateways.

See Overview of the "Manually Set Priority List" method.

Tracking

If the Tracking option is enabled for MEP, this information is logged by each satellite Security Gateway:

  • The resolved peer Security Gateway (a Security Gateway in the MEP)

  • The priority of the resolved Security Gateway (primary, secondary, tertiary)

  • Whether the resolved Security Gateway is responding

For example, in the scenario shown in the section "Manually Set Priority List", satellite S1 opens a connection to the VPN domain that includes Security Gateways M1, M2, and M3. M1 is the resolved peer. If tracking is enabled, the log reads:

Resolved peer for tunnel from S1 to the MEP that contains M1, M2, and M3, is: M1 (Primary Security Gateway, responding).

Implicit MEP

There are three methods to implement implicit MEP:

Method

Description

First to Respond

The first Security Gateway to reply to the peer Security Gateway is chosen.

An organization would choose this option if, for example, the organization has two Security Gateways in a MEP configuration - one in London, the other in New York.

It makes sense for VPN peers located in England to try the London Security Gateway first and the NY Security Gateway second.

Being geographically closer to the peers in England, the London Security Gateway will be the first to respond, and becomes the entry point to the internal network.

Note - First to Respond MEP is configured by default.

See Overview of the "Implicit First to Respond" method.

Primary-Backup

One or multiple backup Security Gateways provide "high availability" for a primary Security Gateway.

The remote peer is configured to work with the primary Security Gateway, but switches to the backup Security Gateway if the primary goes down.

An organization might decide to use this configuration if it has two Security Gateways in a MEP environment, one of which is stronger than the other.

It makes sense to configure the stronger Security Gateway as the primary. Or perhaps both Security Gateways are the same in terms of strength of performance, but one has a cheaper or faster connection to the Internet. In this case, the Security Gateway with the better Internet connection should be configured as the primary.

SeeOverview of the "Implicit Primary-Backup Security Gateways" method and Configuring the "Implicit Primary-Backup" method.

Load Distribution

The remote peer randomly selects a Security Gateway, with which to open a VPN connection.

For each source/destination IP address pair, a new Security Gateway is randomly selected.

An organization might have a number of Security Gateways with equal performance abilities. In this case, it makes sense to enable load distribution to use these Security Gateways in a random and equal way.

See Overview of the "Implicit Load Distribution" method and Configuring the "Implicit Load Distribution" method.

Implicit MEP is supported, if the Security Gateways with overlapping encryption domains are in the same community. If they are located in different communities, only one of the Security Gateways will be used for this encryption domain.

Routing Return Packets

To make sure return packets are routed correctly, the MEP Security Gateway can make use of either of these:

  • IP Pool NAT (Static NAT)

  • Route Injection Mechanism (RIM)

IP Pool NAT

IP Pool NAT is a type of NAT, in which source IP addresses from remote VPN domains are mapped to an IP address drawing from a pool of registered IP addresses. In order to maintain symmetric sessions with MEP Security Gateways, the MEP Security Gateway performs NAT with a range of IP addresses dedicated to that specific Security Gateway and should be routed within the internal network to the originating Security Gateway. When the returning packets reach the Security Gateway, the Security Gateway restores the original source IP address and forwards the packets to the source.

Route Injection Mechanism

Route Injection Mechanism (RIM) enables a Security Gateway to use a dynamic routing protocol to propagate the encryption domain of a VPN peer Security Gateway to the internal network. When a VPN tunnel is created, RIM updates the local routing table of the Security Gateway to include the encryption domain of the VPN peer.

When a tunnel to a MEP Security Gateway goes down, the Security Gateway removes the applicable "return route" from its own local routing table. This change is then distributed backwards to the routers behind the Security Gateway.

RIM is based both on the ability of the Security Gateway to update its local routing table, and the presence of the a dynamic routing protocol to distribute the change to the network behind the Security Gateway. There is little sense in enabling RIM on the Security Gateway if a dynamic routing protocol is not available to distribute changes.

When MEP is enabled, RIM can be enabled only if permanent tunnels are enabled for the whole community. In a MEP configuration RIM is available when you use the First to Respond, Manual set priority list, and VPN Domain mechanisms. In the first two options, satellite Security Gateways "see" the center Security Gateways as unified as if one tunnel is connecting them. As a result, only the chosen MEP Security Gateway will inject the routes. In VPN Domain MEP, it could be that all MEP Security Gateways will inject the routes, which requires configuring the routers behind the MEP Security Gateways to return packets to the correct Security Gateway.

RIM is not available when Random Selection is the selected entry point mechanism.

For more information, see Route Injection Mechanism.

Special Considerations

  1. If one of the central Security Gateways is an externally managed Security Gateway:

    • The VPN domain of the central Security Gateways will not be automatically inherited by an externally managed Security Gateway

    • The RIM configuration will not be automatically downloaded

  2. UTM-1 Edge devices cannot be configured as a MEP Security Gateway, but can connect to MEP Security Gateways.

  3. DAIP Security Gateways require DNS resolving in order to be configured as MEP Security Gateways.

Configuring MEP

To configure MEP, decide on:

  1. The MEP method:

    • Explicit MEP.

    • Implicit MEP.

  2. If required, method for returning reply packets:

Configuring Explicit MEP

Explicit MEP is only available in Site-to-Site Star VPN communities where multiple center Security Gateways are defined.

To configure MEP:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Objects menu > Object Explorer.

  2. From the left tree, select VPN Communities.

  3. Open the Star VPN CommunityClosed A named collection of VPN domains, each protected by a VPN gateway. object.

  4. From the left tree, click MEP.

  5. Select Enable center gateways as MEP.

  6. Select the applicable entry point mechanism:

    • First to respond

    • By VPN domain

    • Random selection

    • Manual priority list

    Notes:

    • If you select By VPN domain or Manually set priority list, then in the Advanced section choose First to respond or Random selection to resolve how more than one Security Gateway with equal priority should be selected.

    • If you select Manually set priority list, then click Set to create a series of MEP rules.

  7. Select a Tracking option, if required.

  8. Click OK.

  9. Install the Access Control Policy.

Configuring Implicit MEP

Configuring IP Pool NAT

To configure IP Pool NAT for Site to Site VPN in SmartConsole:

Step

Description

1

Enable IP Pool NAT in the Global Properties:

  1. Click Menu > Global properties.

  2. Click NAT - Network Address Translation.

  3. Select Enable IP Pool NAT.

  4. Select the applicable options (None, Log, or Alert) for:

    • Address exhaustion track

    • Address allocation and release track

  5. Click OK to close the Global properties window.

2

For each Security Gateway, configure an object that represents the IP Pool NAT addresses for that Security Gateway:

  1. Click Objects menu > Object Explorer.

  2. The object that represents the IP Pool NAT addresses can be one of these objects:

    • Network - At the top, click New > Network

    • Network Group - At the top, click New > Network Group

    • Address Range - At the top, click New > Network Object > Address Range > Address Range.

  3. Configure this object to contain the applicable IP addresses.

  4. Click OK to close the object with IP Pool NAT addresses.

3

In each Security Gateway, configure IP Pool NAT settings:

  1. Click Objects menu > Object Explorer.

  2. From the left tree, select Network Objects > Gateways & Servers.

  3. Open each Security Gateway object.

  4. Click NAT > IP Pool NAT.

  5. Select one of these two options:

  • Allocate IP Addresses from.

    If you choose this option, then select the object that represents the IP Pool NAT addresses for that Security Gateway.

  • Define IP Pool addresses on Gateway interfaces.

    If you choose this option, then you must configure the IP Pool NAT on each required interface:

    (i) From the left tree, click Network Management.

    (ii) Edit each required interface.

    (iii) From the left tree, click General.

    (iv) In the Topology section, click Modify.

    (v) In the IP Pool NAT section, select the object that represents the IP Pool NAT addresses.

    (vi) Click OK.

  1. Select the applicable options:

    • Use IP Pool NAT for VPN clients connections

    • Use IP Pool NAT for gateway to gateway connections

    • Prefer IP Pool NAT over Hide NAT

  2. Click Advanced to configure the advanced IP Pool NAT settings. Click OK.

  3. Click OK to close the Security Gateway object.

4

Install the Access Control Policy on all Security Gateways.

5

Edit the routing table for each internal router, so that packets with an IP address assigned from the IP Pool NAT are routed to the applicable Security Gateway.