Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Bourne
Participant

site to site VPN, IKEv2 and Nat-T issue, Impact of disabling "support Nat-t" on Gateway

So I have a site to site VPN with a Cisco ASA device from my Clustered 5100 firewalls.  The tunnel comes up, but they cannot see any traffic coming from my side.  I believe the issue is with IKEV2 and the "support Nat-t" on Gateway according to SK5390.

I have about 40 site to site VPNS configured and only this one is using IKEv2. We also have checkpoint mobile clients connecting in to our 5100.  What is the impact if I disable the option to "Support NAT-T" on the gateway for the checkpoint mobile clients?  Is there a way to disable NAT-T for just one site to site VPN?

 

Thanks,

0 Kudos
6 Replies
G_W_Albrecht
Legend
Legend

Oh, you have a 5100 ! I just worked 20min to answer your question as if you had a 1500 SMB ☹️. Bad place, to post it on SMB...

0 Kudos
Daniel_Bourne
Participant

Sorry, I thought that was the correct area.  Not sure how to change that or delete the post unfortunately.

 

0 Kudos
G_W_Albrecht
Legend
Legend

Has been relocated thanks to @PhoneBoy i guess 😎 -  that is how it is done...

PhoneBoy
Admin
Admin

Yes, threads can only be moved by admins 🙂

0 Kudos
Timothy_Hall
Champion
Champion

My recommendation for interoperable VPNs is to try IKEv2 with them, but do not hesitate to return to IKEv1 if there are any problems.  I'm not sure where you got that SK number, but I think this is the one you want:

sk165003: When Security Gateway initiates VPN tunnel with 3rd Party peer using IKEv2, VPN tunnel is ...

Also possible that your situation is a known bug on the Cisco side, see here:

VPN issue with IKEv2 and Cisco ASA

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
the_rock
Mentor
Mentor

Message me privately, we can do remote session...I hope I would be able to help you.

 

Andy

0 Kudos