Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ks07
Participant

How to disable NAT-T for a specific VPN Tunnel

How to disable NAT-T for a specific VPN Tunnel

Good morning team, I need support because I want to disable NAT-T port 4500 for a specific VPN S2S, as I am having problems with this VPN that is Check point communication with Check point, but every so often we see interruptions and fall of the VPN, at the level of logs we have only found that they are negotiating through NAT-T port 4500 and not throught port 500 which is normal.

I have read a lot of documentation and checkmates but they all say the same thing:

1- NAT-T communication is usually initiated by the peer and checkpoint is only allowed to accept the traffic or not.
2- NAT-T can be disabled but it is a global configuration that can affect all VPN's.
3- NAT-T can be changed in the gateway but I understand that this still affects all VPNs connected to this gateway.

regards

2024-05-21_12h07_54.png

0 Kudos
6 Replies
JozkoMrkvicka
Mentor
Mentor

In every VPN community there is option to disable NAT for this community. Not sure if this is valid also for NAT-T traffic.

If you see issue with NAT-T, I would suggest to contact TAC and investigate it.

NAT-T is used because there is some NAT device in between 2 peers. In order to keep connection in NAT device connection table, Check Point firewall is using NAT-T as keepalive packets every 10 seconds (even if there is no interesting traffic).

Kind regards,
Jozko Mrkvicka
(1)
the_rock
Legend
Legend

@JozkoMrkvicka described it perfectly.

Andy

Chris_Atkinson
Employee Employee
Employee

Are you seeing / experiencing this on R81.20 or some other version?

Are all gateways under the same management and what is the topology, is either gateway DAIP?

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Great call about DAIP.

0 Kudos
SenpaiNoticed_U
Employee
Employee

NAT-T is normal for a Tunnel if the Gateway is hidden behind a Device that controls the Public IP address.

With Check Point, there is a Hash Value for NAT-T detection, and if this Hash returns different, then this is a indication that the Tunnel has been NATed behind some other device, thus causing the Tunnel to be made with NAT-T.

Thus if NAT-T is needed, then NAT-T should not be modified.

Also, make sure that the Interface you are using for a VPN Tunnel is defined as External interface.

If you are experiencing Outages,
Please enable VPN debugs and open a TAC case for further investigation.



Duane_Toler
Advisor

Check  SK177823 to see if that helps.  There was a change in a set of Jumbo HFAs a short time ago.

https://support.checkpoint.com/results/sk/sk177823

 

Edit:

Likewise SK32664 has some related info:

https://support.checkpoint.com/results/sk/sk32664

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events