This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Bourne
Participant
‎2021-01-29 02:05 AM

site to site VPN, IKEv2 and Nat-T issue, Impact of disabling "support Nat-t" on Gateway

So I have a site to site VPN with a Cisco ASA device from my Clustered 5100 firewalls.  The tunnel comes up, but they cannot see any traffic coming from my side.  I believe the issue is with IKEV2 and the "support Nat-t" on Gateway according to SK5390.

I have about 40 site to site VPNS configured and only this one is using IKEv2. We also have checkpoint mobile clients connecting in to our 5100.  What is the impact if I disable the option to "Support NAT-T" on the gateway for the checkpoint mobile clients?  Is there a way to disable NAT-T for just one site to site VPN?

 

Thanks,

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-01-29 03:33 AM

Oh, you have a 5100 ! I just worked 20min to answer your question as if you had a 1500 SMB ☹️. Bad place, to post it on SMB...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Daniel_Bourne
Participant
‎2021-01-29 04:36 AM
In response to G_W_Albrecht

Sorry, I thought that was the correct area.  Not sure how to change that or delete the post unfortunately.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-01-30 01:47 AM
In response to Daniel_Bourne

Has been relocated thanks to @PhoneBoy i guess 😎 -  that is how it is done...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin
‎2021-02-01 02:51 PM
In response to G_W_Albrecht

Yes, threads can only be moved by admins 🙂

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-01-29 05:48 AM

My recommendation for interoperable VPNs is to try IKEv2 with them, but do not hesitate to return to IKEv1 if there are any problems.  I'm not sure where you got that SK number, but I think this is the one you want:

sk165003: When Security Gateway initiates VPN tunnel with 3rd Party peer using IKEv2, VPN tunnel is ...

Also possible that your situation is a known bug on the Cisco side, see here:

VPN issue with IKEv2 and Cisco ASA

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend
‎2021-01-29 05:52 AM

Message me privately, we can do remote session...I hope I would be able to help you.

 

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events