Support Center > Search Results > SecureKnowledge Details
Check Point Security Gateway initiating an IKE negotiation over NAT-T Technical Level
Symptoms
  • Check Point Security Gateway does not propose using NAT-T during the IKE negotiation.

  • The $FWDIR/log/vpnd.elg file on the Security Gateway might contain this line:

    SwitchToNatT: Keep on using existing connection

Cause

In versions R77.30 and lower, Check Point Security Gateways did not support initiating IKE proposals over NAT-T.

A Security Gateway accepts and supports proposals for industry-standard UDP encapsulation over the UDP port 4500, but never initiates a proposal.

Note - The SMB Appliances 600, 1100, 1200R, and the VPN-1 Edge Devices do support initiating IKE propositions over NAT-T.


Solution

Background

The NAT-T initiator capability was introduced in the R80.10 version.

You can control the Security Gateway behavior with the offer_nat_t_initator parameter in the Security Gateway object properties.

Parameter Value Security Gateway Behavior Notes
false Security Gateway does not initiate IKE proposals over NAT-T.

This is the default value in:

true Security Gateway initiates IKE proposals over NAT-T.

This is the default value in (see VPNS2S-2235):


Configuration

To change the value of the parameter:

  1. Connect with SmartConsole to the Security Management Server / applicable Domain Management Server.

  2. In the top left corner, click Menu > Database Revision Control > create a revision snapshot.

    Note: Database Revision Control is not supported for VSX objects (sk65420) and Endpoint Security Servers.

    In addition, refer to:

  3. Close all SmartConsole windows.

    Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.

  4. Connect with Database Tool (GuiDBedit Tool) to the Security Management Server / Domain Management Server.

  5. In the upper left pane, go to Table > Network Objects > network_objects.

  6. In the upper right pane, select the Security Gateway / Cluster object.

  7. Press CTRL+F (or go to Search menu > Find) > paste offer_nat_t_initator > click Find Next.

  8. In the lower pane, right-click on the offer_nat_t_initator > select Edit > select the applicable value > click OK.

  9. Save the changes: go to the File menu > click Save All.

  10. Close the Database Tool (GuiDBedit Tool).

  11. Connect with SmartConsole to the Security Management Server / Domain Management Server.

  12. Install the Security Policy onto the applicable Security Gateway / Cluster.


Limitations

  • Check Point Security Gateways R80.10 in VSX mode do not support NAT-T initiation (see the VPN section in sk110519).

  • Check Point Security Gateways R80.10 support NAT-T initiation in IKEv2.

  • Check Point Security Gateways R77.30 and lower only support answering to NAT-T proposals from the VPN peer when all of these conditions are met:

    1. The peer gateway has a dynamically assigned IP address (DAIP).
    2. VPN community uses certificate-based authentication.
    3. The peer gateway initiates the NAT-T.


Related Solutions

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment