https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246252#M12454 <P><SPAN>When trying to connect a DAIP VPN Gateway with NAT hide to the VPN VSX, no VPN tunnel can be established. In the files iked.elg and vpnd.elg I don't find a reason why this VPN tunnel cannot be established.</SPAN></P><P><SPAN>The Check Point TAC told us that this is not working due to the fact that NAT hide changes the source port IKE from 500/udp to a high port and also NAT-T from 4500/4500 to a high port. Still the destination port remains correct.</SPAN></P><P><SPAN>All other site to site VPN tunnels work fine. They all have a fix public IP address. Please help me to find the reason why this is not working.</SPAN></P><P><SPAN>Does anybody have experience with such a topology or even a setup which is working?</SPAN></P><P><SPAN>Thank you for your help.</SPAN></P> Fri, 11 Apr 2025 13:13:44 GMT bbruelhart 2025-04-11T13:13:44Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246252#M12454 <P><SPAN>When trying to connect a DAIP VPN Gateway with NAT hide to the VPN VSX, no VPN tunnel can be established. In the files iked.elg and vpnd.elg I don't find a reason why this VPN tunnel cannot be established.</SPAN></P><P><SPAN>The Check Point TAC told us that this is not working due to the fact that NAT hide changes the source port IKE from 500/udp to a high port and also NAT-T from 4500/4500 to a high port. Still the destination port remains correct.</SPAN></P><P><SPAN>All other site to site VPN tunnels work fine. They all have a fix public IP address. Please help me to find the reason why this is not working.</SPAN></P><P><SPAN>Does anybody have experience with such a topology or even a setup which is working?</SPAN></P><P><SPAN>Thank you for your help.</SPAN></P> Fri, 11 Apr 2025 13:13:44 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246252#M12454 bbruelhart 2025-04-11T13:13:44Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246254#M12455 <P>Would you mind send debug files? Happy to review myself (you can also DM me, no problem). By the way, in my humble opinion, if dst port is unchanged, then you are fine, because source port literally would never matter, only destination one.</P> <P>Andy</P> Fri, 11 Apr 2025 13:22:12 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246254#M12455 the_rock 2025-04-11T13:22:12Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246262#M12456 <P>Hello Andy</P><P>&nbsp;</P><P>Thanks for your fast answer. That's what I thought as well that the source port would not matter but the engineers in the case insisted that it has to have the same source port for IKE and NAT-T.&nbsp;<BR />I will try to find the requested files and send them to you.<BR /><BR /></P><P>On the central side I have a cluster of Quantum 26000 with a VSX for VPN connection and on the remote side I have a Quantum Spark 1575.&nbsp;</P><P>Should that topology work at all?</P> Fri, 11 Apr 2025 14:01:07 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246262#M12456 bbruelhart 2025-04-11T14:01:07Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246264#M12457 <P>That should be fine. Is it star community? Honestly, I still have hard time with understanding how same source port would need to be the same, but maybe someone else can confirm for sure.</P> <P>Andy</P> Fri, 11 Apr 2025 14:28:04 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246264#M12457 the_rock 2025-04-11T14:28:04Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246339#M12465 <P>Why do you use S2S for a DIAP GW? The reasonable choice would be to fall back to RAS VPN in this case. Did you try that?</P> Mon, 14 Apr 2025 07:21:24 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246339#M12465 _Val_ 2025-04-14T07:21:24Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246345#M12466 <P>Should work if the DAIP GW starts the VPN tunnel. DId read this <A href="https://support.checkpoint.com/results/sk/sk167473" target="_blank" rel="noopener"><SPAN>sk167473: Dynamically Assigned IP Address (<STRONG>DAIP</STRONG>) Gateway FAQ</SPAN></A>?</P> Mon, 14 Apr 2025 08:18:09 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246345#M12466 G_W_Albrecht 2025-04-14T08:18:09Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246404#M12467 <P>I was able to configure both, the dynamic gateway and the center side VSX, both on the same management server.</P><P>After allowing the ports FW1_ica_pull, FW1_ica_push, FW1_ica_services and FW1_log and defining the dynamic gateway's MAC address I was able to configure the SIC securely.</P><P>After that I could pull the prepared policy from the management server and then the VPN tunnel and the prepared policy was working.</P><P>Thanks again to Andy, the legend, for his support.</P> Mon, 14 Apr 2025 13:12:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246404#M12467 bbruelhart 2025-04-14T13:12:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246478#M12472 <P>Why did you have to allow these ports ? Are they not covered by implied rules ?</P> Tue, 15 Apr 2025 09:33:27 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246478#M12472 G_W_Albrecht 2025-04-15T09:33:27Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246518#M12500 <P>Hello&nbsp;<BR />Now, I am confused. How would I define a RAS VPN then?<BR />What object would I define in the SmartConsole for die DIAP gateway?</P><P>Regards</P><P>Beat</P> Tue, 15 Apr 2025 13:19:59 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246518#M12500 bbruelhart 2025-04-15T13:19:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246520#M12501 <P>The DIAP gateway is in the Internet and needs to communicate with the Check Point management server which is behind the Internet firewall. So, for the SIC I allowed FW1_ica_service, FW1_ica_pull, FW1_ica_push, FW1_log and CPD to th public (NAT) object of the managment server. Only with the implied rules this did not work for me.<BR />Is there another way to do that?&nbsp;</P> Tue, 15 Apr 2025 13:34:38 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246520#M12501 bbruelhart 2025-04-15T13:34:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246535#M12502 <P>I can not verify that - this had not been a need for non-VSX GAiA GWs / SMS with older SMBs. But as it is working that seems the correct way to do it <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 15 Apr 2025 14:55:10 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Site-to-Site-VPN-with-DAIP-Gateway-and-NAT-hide-not-working/m-p/246535#M12502 G_W_Albrecht 2025-04-15T14:55:10Z