https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109278#M14830 <P>Oh, you have a 5100 ! I just worked 20min to answer your question as if you had a 1500 SMB <span class="lia-unicode-emoji" title=":frowning_face:">☹️</span>. Bad place, to post it on SMB...</P> Fri, 29 Jan 2021 11:33:48 GMT G_W_Albrecht 2021-01-29T11:33:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109267#M14829 <P>So I have a site to site VPN with a Cisco ASA device from my Clustered 5100 firewalls.&nbsp; The tunnel comes up, but they cannot see any traffic coming from my side.&nbsp; I believe the issue is with IKEV2 and the "support Nat-t" on Gateway according to SK5390.</P><P>I have about 40 site to site VPNS configured and only this one is using IKEv2. We also have checkpoint mobile clients connecting in to our 5100.&nbsp; What is the impact if I disable the option to "Support NAT-T" on the gateway for the checkpoint mobile clients?&nbsp; Is there a way to disable NAT-T for just one site to site VPN?</P><P>&nbsp;</P><P>Thanks,</P> Fri, 29 Jan 2021 10:05:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109267#M14829 Daniel_Bourne 2021-01-29T10:05:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109278#M14830 <P>Oh, you have a 5100 ! I just worked 20min to answer your question as if you had a 1500 SMB <span class="lia-unicode-emoji" title=":frowning_face:">☹️</span>. Bad place, to post it on SMB...</P> Fri, 29 Jan 2021 11:33:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109278#M14830 G_W_Albrecht 2021-01-29T11:33:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109284#M14831 <P>Sorry, I thought that was the correct area.&nbsp; Not sure how to change that or delete the post unfortunately.</P><P>&nbsp;</P> Fri, 29 Jan 2021 12:36:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109284#M14831 Daniel_Bourne 2021-01-29T12:36:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109291#M14832 <P>My recommendation for interoperable VPNs is to try IKEv2 with them, but do not hesitate to return to IKEv1 if there are any problems.&nbsp; I'm not sure where you got that SK number, but I think this is the one you want:</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk165003&amp;partition=Advanced&amp;product=IPSec" target="_blank">sk165003: When Security Gateway initiates VPN tunnel with 3rd Party peer using <STRONG>IKEv2</STRONG>, VPN tunnel is forced to <STRONG>NAT-T</STRONG> and traffic fails</A></P> <P>Also possible that your situation is a known bug on the Cisco side, see here:</P> <P><A id="link_2_3f747a7d22d34f_1dfb44" class="page-link lia-link-navigation lia-custom-event" href="https://community.checkpoint.com/t5/General-Topics/VPN-issue-with-IKEv2-and-Cisco-ASA/m-p/64830?search-action-id=21506175181&amp;search-result-uid=64830" target="_blank">VPN issue with IKEv2 and<SPAN>&nbsp;</SPAN><SPAN class="lia-search-match-lithium">Cisco</SPAN><SPAN>&nbsp;</SPAN>ASA</A></P> <P>&nbsp;</P> Fri, 29 Jan 2021 13:48:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109291#M14832 Timothy_Hall 2021-01-29T13:48:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109292#M14833 <P>Message me privately, we can do remote session...I hope I would be able to help you.</P> <P>&nbsp;</P> <P>Andy</P> Fri, 29 Jan 2021 13:52:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109292#M14833 the_rock 2021-01-29T13:52:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109331#M14840 <P>Has been relocated thanks to <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a> i guess 8)</img> -&nbsp; that is how it is done...</P> Sat, 30 Jan 2021 09:47:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109331#M14840 G_W_Albrecht 2021-01-30T09:47:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109504#M14928 <P>Yes, threads can only be moved by admins <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 01 Feb 2021 22:51:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/site-to-site-VPN-IKEv2-and-Nat-T-issue-Impact-of-disabling-quot/m-p/109504#M14928 PhoneBoy 2021-02-01T22:51:37Z