Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stephan_Kremer
Participant

Force NAT-T for S2S VPN with two DAIP locally managed appliances

Hi all,

 

I have two locally managed DAIP gateways (620 & 730). I need to create a site-to-site VPN between them:

 

620 -----> NAT device ------> Internet ------> NAT device -----> 730

 

730 is configured that only remote site opens the connection. 620 is using the hostname to open the connection. Authentication is based on certificates and IKEv1 is used. Using the hostname to connect, NAT-T is not used and so the tunnel is not established. If I temporary change the connection from hostname to IP between static NAT, then the tunnel comes up because NAT-T is used.

My question: how can I force the gateway to use NAT-T when connecting to a hostname instead of an IP?

 

Many thanks,

 

Stephan

0 Kudos
9 Replies
G_W_Albrecht
Legend
Legend

0 Kudos
Stephan_Kremer
Participant

I will give it a try later on, sounds promising. Thanks!

0 Kudos
Stephan_Kremer
Participant

I gave it a try, but there is a known limitation that seems to match exactly my environment:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

ID: 01620625

 

Does anybody know if there is a workaround or fix available, so would it make sense to open a SR?

0 Kudos
PhoneBoy
Admin
Admin

This would most likely require an RFE to address.
0 Kudos
Stephan_Kremer
Participant

Yes, I opened a RFE. Let‘s see what happens. Thanks. 

0 Kudos
G_W_Albrecht
Legend
Legend

I think that sk105380 and sk162472 contradict each h other - did you try sk162472 yet ?

0 Kudos
Stephan_Kremer
Participant

Yes, sure I tried but it does not work. The contradiction is quite obvious 🙂

0 Kudos
G_W_Albrecht
Legend
Legend

RFE is nice, but did you already consult TAC ?

0 Kudos
Stephan_Kremer
Participant

Yes, they confirmed that the limitations is still valid and I need to open a RFE.

0 Kudos