Multiple Entry Point VPN Configurations


Multiple Entry Point VPN deployments make use of the VPN-1/FW-1 Backup Gateway feature. With this sort of implementation, gateways for logically separated networks can be used to connect to the same destination network, assuming that a link exists between those networks. A diagram of a MEP configuration is shown in Figure 12.9.

click to expand
Figure 12.9: Simple MEP Illustration

MEP configurations are actually more of a redundancy solution than a true high availability solution. Since the networks are logically (and often geographically ) separated, firewall synchronization is not possible (though some support has been added in NG AI R55 when the cluster members are connected to the same layer 2 network). With this being the case, connections cannot be maintained as they can be with a SEP configuration. Instead, when the SecuRemote client s (or SecureClient s) gateway fails, there is a brief pause before the backup gateway is connected. This will cause an interruption in the connection from a user s perspective. Usually this isn t a big deal and users don t notice much. A user browsing the internal website, for example, will simply click the refresh button to continue as normal.

The first step toward setting up a MEP solution is to enable backup gateways on the management server. This is done by accessing Global Properties Advanced and placing a checkmark in the box labeled Enable load distribution for Multiple Entry Points configurations , as shown in Figure 12.10.

Overlapping VPN Domains

A VPN domain (a.k.a. encryption domain) defines the entirety of the network residing behind the VPN-1/FW-1 device, and also includes the VPN-1/FW-1 gateway(s). Recent versions of VPN-1/FW-1 support the use of overlapping

click to expand
Figure 12.10: Enabling MEP

VPN domains. This inclusion is the key element that allows the implementation of high availability for VPN connections. There are three methods of creating an overlapping VPN domain:

  • Partial Overlap

  • Full Overlap

  • Proper Subset

Figure 12.11 shows you a graphical representation of these VPN domain types in the following order: partial overlap, full overlap, and proper subset. These will be discussed in more detail later in the chapter.

click to expand
Figure 12.11: VPN Domain Types

Check Point has included support for all three types of VPN domains with NG AI. Previously, only full overlap and proper subset were supported. This section will look at the particulars of the VPN domains in the next couple of paragraphs.

As mentioned in the first paragraph of this section, a VPN domain consists of the network residing behind the gateway, including that gateway. What this means for you, as a firewall administrator, is that you define a network object consisting of the protected network and then point to that network object within the configuration of the workstation object that is the VPN gateway.

Implementing a fully overlapping VPN domain isn t much more difficult than defining a normal VPN domain. All you need to do is properly define the network object. Simply define a group of network objects containing all of the involved gateways and all of their protected networks, and then point to this new group object as the VPN domain for those gateways.

This type of VPN domain is very handy when dealing with critical connections. When a SecuRemote client attempts to communicate with a server residing within this overlapping domain, it will attempt to connect to all of the gateways, and will complete that connection with the first gateway to respond. This brings up a potential problem in that traffic that came in through one gateway could possibly be sent back out through a different gateway, which would result in that packet not being encrypted. To prevent this from happening, you have two choices.

  • Office mode When using SecureClient, each gateway can assign users IP addresses from a different pool ensuring connections are routed internally through the network back to the correct gateway.

  • IP pools For site-to-site, SecureClient, or SecuRemote connections, IP oools enable you to assign an address to the connection from a previously configured source. This source can be either a network object or an address range.

Note that state synchronization cannot be considered a solution to asymmetric routing. There is no way that you could hope two firewalls could synchronize fast enough to avoid this problem.

Both solutions are valid and very useful. If you ever have to use a VPN solution that doesn t support pools, you ll quickly see why having them available is far superior to not having them. To enable pools, you need to modify the global properties to enable the field called Enable IP P ool NAT for SecuRemote and VPN connections . What to do when the pool evaporates is up to you. Figure 12.12 illustrates this window.

click to expand
Figure 12.12: Enabling IP Pool NAT

Address exhaustion, which has the familiar three options of None, Log, and Alert, defines what to do when the addresses allocated to your pool are all used. It s not recommended that you select None. Address allocation and release information is a must for debugging purposes. Equate this with DHCP lease information as far as function, and consider the gap in your security policy if you didn t have accountability here.

Backup Gateway Configuration

The backup gateway configuration is much simpler than the SEP configuration. The Backup Gateway Configuration option allows you to define a gateway that is the primary endpoint for certain networks with a backup also being able to be an endpoint, but only if necessary. This is essentially because, as mentioned before, this is more of a failover solution than a high availability solution. The gateways aren t clustered and there s no way to synchronize. SecuRemote clients will connect to their primary gateway as normal. If that gateway fails, then the connections are reestablished with the backup gateway. This takes a few seconds, so there will be a momentary interruption in the user s connection. But a momentary interruption is definitely a lot better than one for an extended period of time. If, however, you don t want even a moment s interruption, SEP is the only real way to go (possibly using multiple ISPs).

Once you ve enabled backup gateways in the Global Properties, you are able to define them within the gateway s object. On the NAT tab of the Gateway Properties , you ll see a new checkbox called Use Backup Gateways: and an associated pull-down menu. Place a checkmark in this box and select the desired backup gateway from the list, and you re off to the races. The results will resemble the window shown in Figure 12.13.

click to expand
Figure 12.13: Configuring a Backup Gateway
start sidebar
Designing & Planning
Why Not Go All Out?

So, you aren t sure if either SEP or MEP is the solution for you. Say, for example, that you have a really mission-critical connection, one that just cannot be down. But you also have a requirement for redundant connections. These redundant connections have to be available even if an entire site goes down.

You have options. There s nothing that says you can t use both SEP and MEP in tandem. You could define an SEP cluster to handle the requirement for the highly available connection and then use MEP to define a redundant backup link!

end sidebar
 

The next thing you will need to do is define how you will be translating incoming connections so that they will get routed back to the appropriate gateway from anywhere on your internal network. You can use office mode for SecureClient connections, which has already been covered, but for all other VPN connections, you will need to use IP pool NAT. First define a network object or address range object for the pool of addresses then go the NAT tab of the firewall s object. As shown in Figure 12.14, you will be able to define if you wish to use IP pools for remote access VPN connections ( Use IP Pool NAT for VPN clients connections ) and/or site-to-site connections ( Use IP Pool NAT for gateway to gateway connections ). Select the appropriate boxes and define the IP pool you wish to use next to Allocate IP Addresses from section. You can also define how long to reserve each address (because the translations are per-host, not per connection). This is similar to the way a Dynamic Host Control Protocol (DHCP) lease operates.

click to expand
Figure 12.14: Configuring IP Pool NAT

The next step is to define the VPN domain for this gateway. There are really no special tricks involved here. All you need to do is define the proper VPN domain for this gateway, just as you would if you were using a single gateway solution. Figure 12.15 illustrates this window. The gateway will be the primary destination for the network in its VPN Domain, but will also be able to handle decrypting traffic for the encryption domain it is backing up.

click to expand
Figure 12.15: Selecting the VPN Domain

Overlapping VPN Domains

Establishing a MEP configuration using an overlapping VPN domain makes things about as easy as possible. Using the Overlapping VPN Domains option gives equal weight to both endpoints, unlike the Primary/Backup option employed in the Backup Gateways section. In simple terms, an overlapping VPN domain makes the VPN domain of all participating gateways identical. While a VPN domain usually contains a single gateway and the network that resides behind it, when establishing an overlap, the domain contains all of the gateways and their respective protected networks. Configuring a MEP configuration for a fully overlapping encryption setup isn t all that hard. Let s take a look at the steps. Figure 12.16 shows a MEP configuration using a fully overlapping VPN domain. You can refer back to Figure 12.9 for a more specific description of IP addresses. For these examples, you will need to create some network objects and a group with the following networks ( netmask of 255.255.255.0 is assumed) and objects included:

  • 172.17.2.0

  • 172.17.3.0 (previously defined at LAN)

  • 192.168.0.0

  • 192.168.1.0

    click to expand
    Figure 12.16: Fully Overlapping VPN Domain

  • 10.0.0.0 (previously defined as BranchNet)

  • ExternalFW object

  • BranchFW object

The first step is to define these networks for use within your rulebase. By selecting Manage Network Objects New Network from the Policy Editor, you ll be able to create the networks representing your VPN domain. After you have done that, you need to place them all into a group. Select Manage Network Objects New Group Simple Group from the Policy Manager menu, and create a group like the one in Figure 12.17.

click to expand
Figure 12.17: Overlapping VPN Domain Group

Next, you have to configure this new VPN domain on all of the firewalls that are participating within the configuration, and that s it. Figure 12.18 illustrates what the Topology window will look like. Note the Manually defined VPN domain.

click to expand
Figure 12.18: Overlapping VPN Domain

You also must use some means of avoiding the problem of asymmetric routing. Again, IP pools to the rescue unless you re only using SecureClient, in which case you can use office mode. You ll also need to make sure that the routing within your network is properly configured to handle passing the traffic back to the network associated with the IP pool network. To associate an IP pool with the gateway, you first must define an address range or network object that will be used as the pool. After you do that, access the Check Point Gateway properties and access the NAT window. Place a checkmark in the box marked Use IP Pool NAT for VPN clients connections for client-to-site connections or Use IP Pool NAT for gateway to gateway connections to site-to-site connections, select the previously defined address range object, and you re ready to go. Figure 12.19 shows you this final configuration window.

click to expand
Figure 12.19: Using IP Pools

When your SecuRemote clients attempt to initiate a connection, the first gateway to respond will be selected. This is a pretty simple method and is one of the reasons that this configuration is so straightforward.




Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net