topic Re: Enable NAT Traversal per VPN community in Firewall and Security Management

Enable NAT Traversal per VPN community

Michael_Horne — Mon, 27 Sep 2021 08:37:49 GMT

Hello All,

Is there a supported way to enable NAT-T for a specific VPN community only?

As far as I can tell NAT-T can only be activated via SmartConsole for the entire gateway / cluster. We have one VPN issue, where the remote party is saying that enabling NAT-T will solve the issue. We have had problems in the past when enabling NAT-T on a gateway cluster where the remote end of the VPN will try NAT-T and the checkpoint doesn't and neither end will switch over to use the method of the other gateway.

We do not want to enable NAT-T on the gateway / cluster for the this Site to site VPN, due to the risk of breaking some of the already existing VPN tunnels.

We would prefer to enable NAT-T for the specific VPN community for testing. if this was possible.

Many thanks,

Michael

Re: Enable NAT Traversal per VPN community

G_W_Albrecht — Mon, 27 Sep 2021 08:44:14 GMT

sk104760: ATRG: VPN Core:

Check Point VPN clients and SMB appliances (600/700/1100/1200R/1400/Edge) will initiate a negotiation with NAT-D payload, so NAT-T can be agreed on. However, Security Gateways currently support responding to negotiation with NAT-D payload, but do not initiate NAT-D themselves.

Re: Enable NAT Traversal per VPN community

Michael_Horne — Mon, 27 Sep 2021 08:52:49 GMT

Is there a way to enable the support for NAT-T per community, and not globally for a gateway / cluster?

We have found, for what ever reason, that enabling this feature globally has caused some VPN tunnels, where neither end is behind a NAT device, to fail.

Re: Enable NAT Traversal per VPN community

G_W_Albrecht — Mon, 27 Sep 2021 11:14:03 GMT

You can only disable answering to NAT-D per GW in IP Sec VPN - VPN Advanced, but not per community.

Re: Enable NAT Traversal per VPN community

G_W_Albrecht — Mon, 27 Sep 2021 11:15:37 GMT

sk32664 tells us:

Pre-R80.10

Check Point Security Gateways only supports answering to NAT-T proposals from the peer side gateway when all of the following conditions are met:

The peer gateway has to be a "dynamic" gateway without a fixed IP address.
Certificate-based authentication must be used for the VPN community.
The remote end has to initiate the NAT-T request.

Since R80.10 it is possible to change the behaviour and make CP GWs initiate NAT-T, but this is not the default.