- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: Force NAT-T for S2S VPN with two DAIP locally ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Force NAT-T for S2S VPN with two DAIP locally managed appliances
Hi all,
I have two locally managed DAIP gateways (620 & 730). I need to create a site-to-site VPN between them:
620 -----> NAT device ------> Internet ------> NAT device -----> 730
730 is configured that only remote site opens the connection. 620 is using the hostname to open the connection. Authentication is based on certificates and IKEv1 is used. Using the hostname to connect, NAT-T is not used and so the tunnel is not established. If I temporary change the connection from hostname to IP between static NAT, then the tunnel comes up because NAT-T is used.
My question: how can I force the gateway to use NAT-T when connecting to a hostname instead of an IP?
Many thanks,
Stephan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is explained in sk162472: How to force NAT-T on Gaia Embedded devices
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will give it a try later on, sounds promising. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I gave it a try, but there is a known limitation that seems to match exactly my environment:
ID: 01620625
Does anybody know if there is a workaround or fix available, so would it make sense to open a SR?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I opened a RFE. Let‘s see what happens. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that sk105380 and sk162472 contradict each h other - did you try sk162472 yet ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, sure I tried but it does not work. The contradiction is quite obvious 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RFE is nice, but did you already consult TAC ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, they confirmed that the limitations is still valid and I need to open a RFE.
