https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64436#M2445 <P>Yes, I opened a RFE. Let‘s see what happens. Thanks.&nbsp;</P> Sun, 06 Oct 2019 06:42:12 GMT Stephan_Kremer 2019-10-06T06:42:12Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64030#M2418 <P>Hi all,</P><P>&nbsp;</P><P>I have two locally managed DAIP gateways (620 &amp; 730). I need to create a site-to-site VPN between them:</P><P>&nbsp;</P><P>620 -----&gt; NAT device ------&gt; Internet ------&gt; NAT device -----&gt; 730</P><P>&nbsp;</P><P>730 is configured that only remote site opens the connection. 620 is using the hostname to open the connection. Authentication is based on certificates and IKEv1 is used. Using the hostname to connect, NAT-T is not used and so the tunnel is not established. If I temporary change the connection from hostname to IP between static NAT, then the tunnel comes up because NAT-T is used.</P><P>My question: how can I force the gateway to use NAT-T when connecting to a hostname instead of an IP?</P><P>&nbsp;</P><P>Many thanks,</P><P>&nbsp;</P><P>Stephan</P> Tue, 01 Oct 2019 06:28:55 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64030#M2418 Stephan_Kremer 2019-10-01T06:28:55Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64033#M2419 <P>This is explained in&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk162472&amp;partition=Advanced&amp;product=Small" target="_blank">sk162472: How to force <STRONG>NAT-T</STRONG> on Gaia Embedded devices</A></P> Tue, 01 Oct 2019 06:58:57 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64033#M2419 G_W_Albrecht 2019-10-01T06:58:57Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64035#M2420 <P>I will give it a try later on, sounds promising. Thanks!</P> Tue, 01 Oct 2019 07:32:14 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64035#M2420 Stephan_Kremer 2019-10-01T07:32:14Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64065#M2421 <P>I gave it a try, but there is a known limitation that seems to match exactly my environment:</P><P><A title="600/700 known limitations" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105380" target="_blank" rel="noopener">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105380</A>&nbsp;</P><P>ID:&nbsp;<A href="tel:01620625" target="_blank">01620625</A></P><P>&nbsp;</P><P>Does anybody know if there is a workaround or fix available, so would it make sense to open a SR?</P> Tue, 01 Oct 2019 15:08:42 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64065#M2421 Stephan_Kremer 2019-10-01T15:08:42Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64419#M2444 This would most likely require an RFE to address. Sat, 05 Oct 2019 05:13:09 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64419#M2444 PhoneBoy 2019-10-05T05:13:09Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64436#M2445 <P>Yes, I opened a RFE. Let‘s see what happens. Thanks.&nbsp;</P> Sun, 06 Oct 2019 06:42:12 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64436#M2445 Stephan_Kremer 2019-10-06T06:42:12Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64630#M2446 <P>I think that&nbsp;<SPAN>sk105380 and&nbsp;sk162472 contradict&nbsp;each h other - did you try&nbsp;sk162472 yet ?</SPAN></P> Wed, 09 Oct 2019 13:12:47 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64630#M2446 G_W_Albrecht 2019-10-09T13:12:47Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64632#M2447 <P>Yes, sure I tried but it does not work. The contradiction is quite obvious <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 09 Oct 2019 13:30:06 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64632#M2447 Stephan_Kremer 2019-10-09T13:30:06Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64634#M2448 <P>RFE is nice, but did you already consult TAC ?</P> Wed, 09 Oct 2019 13:32:58 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64634#M2448 G_W_Albrecht 2019-10-09T13:32:58Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64637#M2449 <P>Yes, they confirmed that the limitations is still valid and I need to open a RFE.</P> Wed, 09 Oct 2019 13:40:37 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Force-NAT-T-for-S2S-VPN-with-two-DAIP-locally-managed-appliances/m-p/64637#M2449 Stephan_Kremer 2019-10-09T13:40:37Z