This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stephan_Kremer
Participant
‎2019-09-30 11:28 PM

Force NAT-T for S2S VPN with two DAIP locally managed appliances

Hi all,

 

I have two locally managed DAIP gateways (620 & 730). I need to create a site-to-site VPN between them:

 

620 -----> NAT device ------> Internet ------> NAT device -----> 730

 

730 is configured that only remote site opens the connection. 620 is using the hostname to open the connection. Authentication is based on certificates and IKEv1 is used. Using the hostname to connect, NAT-T is not used and so the tunnel is not established. If I temporary change the connection from hostname to IP between static NAT, then the tunnel comes up because NAT-T is used.

My question: how can I force the gateway to use NAT-T when connecting to a hostname instead of an IP?

 

Many thanks,

 

Stephan

0 Kudos
9 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-09-30 11:58 PM

This is explained in sk162472: How to force NAT-T on Gaia Embedded devices

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Stephan_Kremer
Participant
‎2019-10-01 12:32 AM
In response to G_W_Albrecht

I will give it a try later on, sounds promising. Thanks!

0 Kudos
Stephan_Kremer
Participant
‎2019-10-01 08:08 AM
In response to G_W_Albrecht

I gave it a try, but there is a known limitation that seems to match exactly my environment:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

ID: 01620625

 

Does anybody know if there is a workaround or fix available, so would it make sense to open a SR?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-04 10:13 PM
In response to Stephan_Kremer

This would most likely require an RFE to address.
0 Kudos
Stephan_Kremer
Participant
‎2019-10-05 11:42 PM
In response to PhoneBoy

Yes, I opened a RFE. Let‘s see what happens. Thanks. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-10-09 06:12 AM
In response to Stephan_Kremer

I think that sk105380 and sk162472 contradict each h other - did you try sk162472 yet ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Stephan_Kremer
Participant
‎2019-10-09 06:30 AM
In response to G_W_Albrecht

Yes, sure I tried but it does not work. The contradiction is quite obvious 🙂

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-10-09 06:32 AM
In response to Stephan_Kremer

RFE is nice, but did you already consult TAC ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Stephan_Kremer
Participant
‎2019-10-09 06:40 AM
In response to G_W_Albrecht

Yes, they confirmed that the limitations is still valid and I need to open a RFE.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top