Support Center > Search Results > SecureKnowledge Details
When Security Gateway initiates VPN tunnel with 3rd Party peer using IKEv2, VPN tunnel is forced to NAT-T and traffic fails Technical Level
Symptoms
  • When Check Point Security Gateway initiates a VPN tunnel with a 3rd Party peer, NAT-T is forced because it leaves the first interface IP address in NAT-D payload. The SA is established on UDP port 4500, and then VPN traffic fails.

  • When the 3rd Party peer gateway initiates the VPN tunnel, NAT-T is not used. The SA is established on UDP 500, and VPN works fine.

  • In vpnd.elg, it shows that the gateway uses the first external interface, and peer responds with UDP/4500:
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: Searching for entry with key <954e14fd,6db29991,00000000,00000000>
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: Not found, will use first external interface
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.0.20, which is a member interface
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.0.21, which is a member interface
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.0.66, which is a member interface
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.0.67, which is a member interface
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.2.148, which is a member interface
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.2.149, which is a member interface
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.193.27, which is a member interface
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.193.28, which is a member interface
    [vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 192.168.1.1, which is a member interface

Solution
Note: To view this solution you need to Sign In .