Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Force NAT-T for S2S VPN with two DAIP locally managed appliances

Hi all,

 

I have two locally managed DAIP gateways (620 & 730). I need to create a site-to-site VPN between them:

 

620 -----> NAT device ------> Internet ------> NAT device -----> 730

 

730 is configured that only remote site opens the connection. 620 is using the hostname to open the connection. Authentication is based on certificates and IKEv1 is used. Using the hostname to connect, NAT-T is not used and so the tunnel is not established. If I temporary change the connection from hostname to IP between static NAT, then the tunnel comes up because NAT-T is used.

My question: how can I force the gateway to use NAT-T when connecting to a hostname instead of an IP?

 

Many thanks,

 

Stephan

0 Kudos
9 Replies
Highlighted
Sapphire

0 Kudos
Highlighted

I will give it a try later on, sounds promising. Thanks!

0 Kudos
Highlighted

I gave it a try, but there is a known limitation that seems to match exactly my environment:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

ID: 01620625

 

Does anybody know if there is a workaround or fix available, so would it make sense to open a SR?

0 Kudos
Highlighted
Admin
Admin

This would most likely require an RFE to address.
0 Kudos
Highlighted

Yes, I opened a RFE. Let‘s see what happens. Thanks. 

0 Kudos
Highlighted
Sapphire

I think that sk105380 and sk162472 contradict each h other - did you try sk162472 yet ?

0 Kudos
Highlighted

Yes, sure I tried but it does not work. The contradiction is quite obvious 🙂

0 Kudos
Highlighted
Sapphire

RFE is nice, but did you already consult TAC ?

0 Kudos
Highlighted

Yes, they confirmed that the limitations is still valid and I need to open a RFE.

0 Kudos