Before R80.10, Check Point "Maintrain" Security Gateways did not support initiating IKE propositions over NAT-T.

A Security Gateway will accept and support proposals for industry UDP encapsulation behind port 4500, but will never initiate a proposal, unlike 600, 1100, 1200R and VPN-1 Edge Appliances that do support initiating IKE propositions over NAT-T.

The NAT-T initiator capability was introduced in R80.10 by adding the offer_nat_t_initator kernel parameter but by default it is disabled.

• Starting from R81 Jumbo Hotfix Take 36, this parameter is enabled by default
  
  
• Before this, to enable/disable it per gateway, use GuiDbEdit:
  1. It is recommended to make a proper backup of Management Server or Domain Management Server.
  2. Close all SmartConsole windows.
  3. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
  4. In the upper left pane, go to Table - Network Objects - network_objects.
  5. In the upper right pane, select the relevant Security Gateway / Cluster object.
  6. Press CTRL+F (or go to Search menu - Find) - paste offer_nat_t_initator - click on Find Next.
  7. In the lower pane, right-click on the offer_nat_t_initator - select Edit... - set the value to "true" to enable (default is "false").
  8. Save and exit the GuiDBedit Tool.
  9. Open SmartConsole and push policy.

Note: 

• NAT-T initiator capability is not supported in R80.10 on VSX, as per the VPN section of sk110519.
• In R80.10, IKEv2 supports NAT-T initiator for gateways.

 

For pre-R80.10

Check Point Security Gateways only supports answering to NAT-T proposals from the peer side gateway when all of the following conditions are met:

• The peer gateway has to be a "dynamic" gateway without a fixed IP address.
• Certificate-based authentication must be used for the VPN community.
• The remote end has to initiate the NAT-T request.