https://community.checkpoint.com/t5/Firewall-and-Security-Management/Nat-Traversal-needs-to-be-enable-for-remote-peer/m-p/112269#M15575 <P>Have you set&nbsp;<EM>offer_nat_t_initator&nbsp;</EM>specified in&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk32664&amp;partition=Basic&amp;product=IPSec" target="_blank" rel="noopener">sk32664: Check Point Security Gateway initiating an IKE negotiation over <STRONG>NAT-T</STRONG></A>?</P> <P>Beyond that there are many many VPN fixes in the latest Jumbo HFA for R80.20 which is Take 188.&nbsp; I don't see any fixes that are directly relevant to your reported problem, but there are quite a few fixes involving NAT-T present.&nbsp; I'd say that is probably your next course of action as there is no point in chasing a bug that has probably already been fixed.&nbsp; The latest Jumbo HFA also has a knack for fixing various VPN interoperability issues as well in my experience.</P> Tue, 02 Mar 2021 12:59:19 GMT Timothy_Hall 2021-03-02T12:59:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Nat-Traversal-needs-to-be-enable-for-remote-peer/m-p/112253#M15570 <P>Hi&nbsp;</P><P>we need to enable Nat Traversal for one of our customer peer gateway, customer end only UDP 4500 port allowed for negotiation and i have enabled&nbsp; <U>Nat Traversal is on our Gateway but traffic initiation on port 500&nbsp;</U> and due to that phase 1 is not coming up.&nbsp;</P><P>What to do in this scenario</P><P>We have R80.20 standalone gateway with take_117</P><P>&nbsp;</P><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P> Tue, 02 Mar 2021 11:22:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Nat-Traversal-needs-to-be-enable-for-remote-peer/m-p/112253#M15570 Ana_11 2021-03-02T11:22:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Nat-Traversal-needs-to-be-enable-for-remote-peer/m-p/112262#M15573 <P>If I remember correctly the gateways detect whether NAT exists between them in IKEv1 main mode packets 3 and 4, then NAT-T on UDP 4500 starts at IKEv1 packet 5 if needed.&nbsp; So even if NAT-T is forced from the start I'm pretty sure IKEv1 will still use UDP 500 in main mode packets 1-4 which would be expected behavior.&nbsp; If you are failing out after IKEv1 main mode packet 2 it is just a settings mismatch (encryption, hashing, etc.) that you need to correct.</P> Tue, 02 Mar 2021 12:35:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Nat-Traversal-needs-to-be-enable-for-remote-peer/m-p/112262#M15573 Timothy_Hall 2021-03-02T12:35:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Nat-Traversal-needs-to-be-enable-for-remote-peer/m-p/112264#M15574 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;,</P><P>the tunnel is getting failed in phase1 MM1. And on the peer end only port 4500 is allowed for this vpn tunnel negotiation. we have juniper in peer end and from logs its stating that there is some port discrepancy and peer end is expecting first packet on port 4500.</P> Tue, 02 Mar 2021 12:41:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Nat-Traversal-needs-to-be-enable-for-remote-peer/m-p/112264#M15574 Ana_11 2021-03-02T12:41:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Nat-Traversal-needs-to-be-enable-for-remote-peer/m-p/112269#M15575 <P>Have you set&nbsp;<EM>offer_nat_t_initator&nbsp;</EM>specified in&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk32664&amp;partition=Basic&amp;product=IPSec" target="_blank" rel="noopener">sk32664: Check Point Security Gateway initiating an IKE negotiation over <STRONG>NAT-T</STRONG></A>?</P> <P>Beyond that there are many many VPN fixes in the latest Jumbo HFA for R80.20 which is Take 188.&nbsp; I don't see any fixes that are directly relevant to your reported problem, but there are quite a few fixes involving NAT-T present.&nbsp; I'd say that is probably your next course of action as there is no point in chasing a bug that has probably already been fixed.&nbsp; The latest Jumbo HFA also has a knack for fixing various VPN interoperability issues as well in my experience.</P> Tue, 02 Mar 2021 12:59:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Nat-Traversal-needs-to-be-enable-for-remote-peer/m-p/112269#M15575 Timothy_Hall 2021-03-02T12:59:19Z