This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ana_11
Participant
‎2021-03-02 03:22 AM

Nat Traversal needs to be enable for remote peer

Hi 

we need to enable Nat Traversal for one of our customer peer gateway, customer end only UDP 4500 port allowed for negotiation and i have enabled  Nat Traversal is on our Gateway but traffic initiation on port 500  and due to that phase 1 is not coming up. 

What to do in this scenario

We have R80.20 standalone gateway with take_117

 

 

 
 

 

Preview file
22 KB
0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-03-02 04:34 AM

If I remember correctly the gateways detect whether NAT exists between them in IKEv1 main mode packets 3 and 4, then NAT-T on UDP 4500 starts at IKEv1 packet 5 if needed.  So even if NAT-T is forced from the start I'm pretty sure IKEv1 will still use UDP 500 in main mode packets 1-4 which would be expected behavior.  If you are failing out after IKEv1 main mode packet 2 it is just a settings mismatch (encryption, hashing, etc.) that you need to correct.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Ana_11
Participant
‎2021-03-02 04:41 AM
In response to Timothy_Hall

Hi @Timothy_Hall ,

the tunnel is getting failed in phase1 MM1. And on the peer end only port 4500 is allowed for this vpn tunnel negotiation. we have juniper in peer end and from logs its stating that there is some port discrepancy and peer end is expecting first packet on port 4500.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-03-02 04:57 AM
In response to Ana_11

Have you set offer_nat_t_initator specified in sk32664: Check Point Security Gateway initiating an IKE negotiation over NAT-T?

Beyond that there are many many VPN fixes in the latest Jumbo HFA for R80.20 which is Take 188.  I don't see any fixes that are directly relevant to your reported problem, but there are quite a few fixes involving NAT-T present.  I'd say that is probably your next course of action as there is no point in chasing a bug that has probably already been fixed.  The latest Jumbo HFA also has a knack for fixing various VPN interoperability issues as well in my experience.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events