Support Center > Search Results > SecureKnowledge Details
Check Point Security Gateway initiating an IKE negotiation over NAT-T Technical Level
Symptoms
  • Check Point Security Gateways do not propose using NAT-T during the IKE negotiation.
  • In vpnd.elg you may see:
    SwitchToNatT: Keep on using existing connection
Cause

Before R80.10, Check Point "Maintrain" Security Gateways did not support initiating IKE propositions over NAT-T.

A Security Gateway will accept and support proposals for industry UDP encapsulation behind port 4500, but will never initiate a proposal, unlike 600, 1100, 1200R and VPN-1 Edge Appliances that do support initiating IKE propositions over NAT-T.


Solution

The NAT-T initiator capability was introduced in R80.10 by adding the offer_nat_t_initator kernel parameter but by default it is disabled.

  • Starting from R81 Jumbo Hotfix Take 36, this parameter is enabled by default

  • Before this, to enable/disable it per gateway, use GuiDbEdit:
    1. It is recommended to make a proper backup of Management Server or Domain Management Server.
    2. Close all SmartConsole windows.
    3. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
    4. In the upper left pane, go to Table - Network Objects - network_objects.
    5. In the upper right pane, select the relevant Security Gateway / Cluster object.
    6. Press CTRL+F (or go to Search menu - Find) - paste offer_nat_t_initator - click on Find Next.
    7. In the lower pane, right-click on the offer_nat_t_initator - select Edit... - set the value to "true" to enable (default is "false").
    8. Save and exit the GuiDBedit Tool.
    9. Open SmartConsole and push policy.

Note: 

  • NAT-T initiator capability is not supported in R80.10 on VSX, as per the VPN section of sk110519.
  • In R80.10, IKEv2 supports NAT-T initiator for gateways.

 

For pre-R80.10

Check Point Security Gateways only supports answering to NAT-T proposals from the peer side gateway when all of the following conditions are met:

  • The peer gateway has to be a "dynamic" gateway without a fixed IP address.
  • Certificate-based authentication must be used for the VPN community.
  • The remote end has to initiate the NAT-T request.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment