https://community.checkpoint.com/t5/Firewall-and-Security-Management/Not-Up-VPN-site-to-site-with-NAT/m-p/248464#M48532 <P>8.png -&gt; change from host to subnet. if this not works change to gateway. Both changes require policy push.&nbsp;</P> <P>topo i cannot read so cannot double check encryption domains / nat table. Also make sure disable nat option is disabled in the vpn community.&nbsp;</P> Thu, 08 May 2025 19:24:40 GMT Lesley 2025-05-08T19:24:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Not-Up-VPN-site-to-site-with-NAT/m-p/248419#M48525 <P>I have the vpn site to site between checkpoint and fortigate as below ( NAT only at checkpoint )</P><P>I have&nbsp;referenced and configured&nbsp; many guides but tunnel still does not work.</P><P>The log on the Fortigate reports that phase 2 is failing ( when no use NAT , everythings is good )</P><P>Pls, help me this issue ( nextime, we will swap ASA to checkpoint )</P><P>My device runs os 81.20</P><P>My configuration is as pictures below.</P><P>Thank,</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 08 May 2025 08:14:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Not-Up-VPN-site-to-site-with-NAT/m-p/248419#M48525 DaoSon 2025-05-08T08:14:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Not-Up-VPN-site-to-site-with-NAT/m-p/248447#M48530 <P>It's far better to post screenshots inline in the editor rather than as attachments, FYI.</P> <P>The fact it works without NAT occurring on the Check Point side suggests the Fortigate isn't configured correctly to account for the NAT addresses.<BR /><BR /></P> Thu, 08 May 2025 13:28:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Not-Up-VPN-site-to-site-with-NAT/m-p/248447#M48530 PhoneBoy 2025-05-08T13:28:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Not-Up-VPN-site-to-site-with-NAT/m-p/248464#M48532 <P>8.png -&gt; change from host to subnet. if this not works change to gateway. Both changes require policy push.&nbsp;</P> <P>topo i cannot read so cannot double check encryption domains / nat table. Also make sure disable nat option is disabled in the vpn community.&nbsp;</P> Thu, 08 May 2025 19:24:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Not-Up-VPN-site-to-site-with-NAT/m-p/248464#M48532 Lesley 2025-05-08T19:24:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Not-Up-VPN-site-to-site-with-NAT/m-p/248476#M48538 <P>Apart from what guys said, make sure below are set to FALSE on CP side from guidbedit.</P> <P>Andy</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt; color: black;">ike_enable_supernet</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt; color: black;">ike_p2_enable_supernet_from_R80.20</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt; color: black;">ike_use_largest_possible_subnets</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt; color: black;">&nbsp;</P> Fri, 09 May 2025 02:17:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Not-Up-VPN-site-to-site-with-NAT/m-p/248476#M48538 the_rock 2025-05-09T02:17:25Z