Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ana_11
Participant

Nat Traversal needs to be enable for remote peer

Hi 

we need to enable Nat Traversal for one of our customer peer gateway, customer end only UDP 4500 port allowed for negotiation and i have enabled  Nat Traversal is on our Gateway but traffic initiation on port 500  and due to that phase 1 is not coming up. 

What to do in this scenario

We have R80.20 standalone gateway with take_117

 

 

 
 

 

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

If I remember correctly the gateways detect whether NAT exists between them in IKEv1 main mode packets 3 and 4, then NAT-T on UDP 4500 starts at IKEv1 packet 5 if needed.  So even if NAT-T is forced from the start I'm pretty sure IKEv1 will still use UDP 500 in main mode packets 1-4 which would be expected behavior.  If you are failing out after IKEv1 main mode packet 2 it is just a settings mismatch (encryption, hashing, etc.) that you need to correct.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Ana_11
Participant

Hi @Timothy_Hall ,

the tunnel is getting failed in phase1 MM1. And on the peer end only port 4500 is allowed for this vpn tunnel negotiation. we have juniper in peer end and from logs its stating that there is some port discrepancy and peer end is expecting first packet on port 4500.

0 Kudos
Timothy_Hall
Champion
Champion

Have you set offer_nat_t_initator specified in sk32664: Check Point Security Gateway initiating an IKE negotiation over NAT-T?

Beyond that there are many many VPN fixes in the latest Jumbo HFA for R80.20 which is Take 188.  I don't see any fixes that are directly relevant to your reported problem, but there are quite a few fixes involving NAT-T present.  I'd say that is probably your next course of action as there is no point in chasing a bug that has probably already been fixed.  The latest Jumbo HFA also has a knack for fixing various VPN interoperability issues as well in my experience.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com