Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Horne
Collaborator

Enable NAT Traversal per VPN community

Hello All,

Is there a supported way to enable NAT-T for a specific VPN community only?

As far as I can tell NAT-T can only be activated via SmartConsole for the entire gateway / cluster.  We have one VPN issue, where the remote party is saying that enabling NAT-T will solve the issue. We have had problems in the past when enabling NAT-T on a gateway cluster where the remote end of the VPN will try NAT-T and the checkpoint doesn't and neither end will switch over to use the method of the other gateway. 

We do not want to enable NAT-T on the gateway / cluster for the this Site to site VPN, due to the risk of breaking some of the already existing VPN tunnels.

We would prefer to enable NAT-T for the specific VPN community for testing. if this was possible.

Many thanks,

Michael

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend

sk104760: ATRG: VPN Core:

Check Point VPN clients and SMB appliances (600/700/1100/1200R/1400/Edge) will initiate a negotiation with NAT-D payload, so NAT-T can be agreed on. However, Security Gateways currently support responding to negotiation with NAT-D payload, but do not initiate NAT-D themselves.

0 Kudos
Michael_Horne
Collaborator

Is there a way to enable the support for NAT-T per community, and not globally for a gateway / cluster?

We have found, for what ever reason, that enabling this feature globally has caused some VPN tunnels, where neither end is behind a NAT device, to fail.

0 Kudos
G_W_Albrecht
Legend
Legend

You can only disable answering to NAT-D per GW in IP Sec VPN - VPN Advanced, but not per community.

0 Kudos
G_W_Albrecht
Legend
Legend

sk32664 tells us:

Pre-R80.10

Check Point Security Gateways only supports answering to NAT-T proposals from the peer side gateway when all of the following conditions are met:

  • The peer gateway has to be a "dynamic" gateway without a fixed IP address.
  • Certificate-based authentication must be used for the VPN community.
  • The remote end has to initiate the NAT-T request.

Since R80.10 it is possible to change the behaviour and make CP GWs initiate NAT-T, but this is not the default.

0 Kudos