Re: Not Up, VPN site to site with NAT

DaoSon · ‎2025-05-08

I have the vpn site to site between checkpoint and fortigate as below ( NAT only at checkpoint )

I have referenced and configured many guides but tunnel still does not work.

The log on the Fortigate reports that phase 2 is failing ( when no use NAT , everythings is good )

Pls, help me this issue ( nextime, we will swap ASA to checkpoint )

My device runs os 81.20

My configuration is as pictures below.

Thank,

PhoneBoy · ‎2025-05-08

It's far better to post screenshots inline in the editor rather than as attachments, FYI.

The fact it works without NAT occurring on the Check Point side suggests the Fortigate isn't configured correctly to account for the NAT addresses.

Lesley · ‎2025-05-08

8.png -> change from host to subnet. if this not works change to gateway. Both changes require policy push.

topo i cannot read so cannot double check encryption domains / nat table. Also make sure disable nat option is disabled in the vpn community.

-------
Please press "Accept as Solution" if my post solved it 🙂

the_rock · ‎2025-05-08

Apart from what guys said, make sure below are set to FALSE on CP side from guidbedit.

Andy

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

Best,
Andy

Are you a member of CheckMates?