Multiple Entry Point

Sorry to trouble you again with more question. In my lab I have been trying to configure implicit MEP on customer side to failover between my two sites in Haymarket and Exhibition but seem to run into the following problem:

1. I have to clear the IPSec SA on the firewall to trigger a failover
2. In the customer firewall, I configured Exhibition as primary and Haymarket as backup. However after failing over to Haymarket, I cannot cause it to fail back to Exhibition unless I make Haymarket inaccessible (shut down the switch ports) and clear the IPSec SA as mentioned above.
3. Also where do I set the IPSec tunnel expire timer as my tunnel seem to stay idle for hours unless I clear it from “vpn tu”

And here is my current setup: For my sites

• I configured two clusters consisting of two firewalls each in Exhibition (R55) and Haymarket (R65) both are under the same Smart Center server
• For the IPSec configuration
  • I configured my customer firewall as a interoperable devices using the customer cluster IP and assigned the customer address range as the encryption domain
  • On both cluster Haymarket and Exhibition, I assigned my server range 202.12.168.128/26 as the encryption domains.
  • I created two VPN star communities in Haymarket and Exhibition with my firewall in each site as the center gateway and the interoperable device as the satellite gateway
  • Didn’t seem to need to configure MED as my firewall in Haymarket and Exhibition are in two separate clusters. Can you confirm this is correct as I seem to recall you mentioned that might be necessary
  • Configure the policy and assign both VPN communities as target.

For my customer site

• I configured a cluster consisting of two firewalls (R65) under a separate Smart Center Server
• For the IPSec configuration
  • I configured my firewall in Haymarket and Exhibition as Externally managed checkpoint gateway and assigned my server range 202.12.168.128/26 as the encryption domains for both gateways.
  • On the customer cluster, I assigned the customer range 172.24.24.0/22 as the encryption domains
  • I enabled backup gateway in global configuration
  • Under the Exhibition gateway object, I configured Haymarket as the backup gateway for Exhibition
  • I created one VPN star communities with both my Haymarket and Exhibition firewalls as center gateway and the customer firewall as remote gateway
  • Configure the policy and assign the VPN star communities above as target.

I think there are several configuration issues with the setup and my recommendation is to try and work through them from top to bottom.

1. Your customer side should be defined as a “Externally Managed Check Point gateway” on your SmartCenter. This will enable you to configure permanent tunnels (this causes a packet to keep the tunnel a live or detect that it is down). The permanent tunnels is a Check Point proprietary mechanism and can only be configured between Check Point VPN gateways.
2. You need to configure MEP on the remote client side SmartCenter. This will enable the remote gateway to decide on the gateway/cluster it wants to work. You should be able to set a manual preference to prefer exhibition over heymarket
3. You need to configure MEP on the local side as well. Note that this will enable you to configure failover mechanism such as IP pool NAT or RIM to ensure connections that are routed properly and will survive failover.