This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Horne
Advisor
‎2021-09-27 01:37 AM

Enable NAT Traversal per VPN community

Hello All,

Is there a supported way to enable NAT-T for a specific VPN community only?

As far as I can tell NAT-T can only be activated via SmartConsole for the entire gateway / cluster.  We have one VPN issue, where the remote party is saying that enabling NAT-T will solve the issue. We have had problems in the past when enabling NAT-T on a gateway cluster where the remote end of the VPN will try NAT-T and the checkpoint doesn't and neither end will switch over to use the method of the other gateway. 

We do not want to enable NAT-T on the gateway / cluster for the this Site to site VPN, due to the risk of breaking some of the already existing VPN tunnels.

We would prefer to enable NAT-T for the specific VPN community for testing. if this was possible.

Many thanks,

Michael

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-09-27 01:44 AM

sk104760: ATRG: VPN Core:

Check Point VPN clients and SMB appliances (600/700/1100/1200R/1400/Edge) will initiate a negotiation with NAT-D payload, so NAT-T can be agreed on. However, Security Gateways currently support responding to negotiation with NAT-D payload, but do not initiate NAT-D themselves.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Michael_Horne
Advisor
‎2021-09-27 01:52 AM
In response to G_W_Albrecht

Is there a way to enable the support for NAT-T per community, and not globally for a gateway / cluster?

We have found, for what ever reason, that enabling this feature globally has caused some VPN tunnels, where neither end is behind a NAT device, to fail.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-09-27 02:11 AM
In response to Michael_Horne

You can only disable answering to NAT-D per GW in IP Sec VPN - VPN Advanced, but not per community.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-09-27 02:28 AM
In response to G_W_Albrecht

sk32664 tells us:

Pre-R80.10

Check Point Security Gateways only supports answering to NAT-T proposals from the peer side gateway when all of the following conditions are met:

  • The peer gateway has to be a "dynamic" gateway without a fixed IP address.
  • Certificate-based authentication must be used for the VPN community.
  • The remote end has to initiate the NAT-T request.

Since R80.10 it is possible to change the behaviour and make CP GWs initiate NAT-T, but this is not the default.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events