In versions R77.30 and lower, Check Point Security Gateways did not support initiating IKE proposals over NAT-T.
A Security Gateway accepts and supports proposals for industry-standard UDP encapsulation over the UDP port 4500, but never initiates a proposal.
Note - The SMB Appliances 600, 1100, 1200R, and the VPN-1 Edge Devices do support initiating IKE propositions over NAT-T.
The NAT-T initiator capability was introduced in the R80.10 version.
You can control the Security Gateway behavior with the offer_nat_t_initator parameter in the Security Gateway object properties.
To change the value of the parameter:
Connect with SmartConsole to the Security Management Server / applicable Domain Management Server.
In the top left corner, click Menu > Database Revision Control > create a revision snapshot.
Note: Database Revision Control is not supported for VSX objects (sk65420) and Endpoint Security Servers.
In addition, refer to:
Close all SmartConsole windows.
Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.
Connect with Database Tool (GuiDBedit Tool) to the Security Management Server / Domain Management Server.
In the upper left pane, go to Table > Network Objects > network_objects.
In the upper right pane, select the Security Gateway / Cluster object.
Press CTRL+F (or go to Search menu > Find) > paste offer_nat_t_initator > click Find Next.
In the lower pane, right-click on the offer_nat_t_initator > select Edit > select the applicable value > click OK.
Save the changes: go to the File menu > click Save All.
Close the Database Tool (GuiDBedit Tool).
Connect with SmartConsole to the Security Management Server / Domain Management Server.
Install the Security Policy onto the applicable Security Gateway / Cluster.
Check Point Security Gateways R80.10 in VSX mode do not support NAT-T initiation (see the VPN section in sk110519).
Check Point Security Gateways R80.10 support NAT-T initiation in IKEv2.
Check Point Security Gateways R77.30 and lower only support answering to NAT-T proposals from the VPN peer when all of these conditions are met:
- The peer gateway has a dynamically assigned IP address (DAIP).
- VPN community uses certificate-based authentication.
- The peer gateway initiates the NAT-T.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.