Before R80.10, Check Point "Maintrain" Security Gateways did not support initiating IKE propositions over NAT-T.
A Security Gateway will accept and support proposals for industry UDP encapsulation behind port 4500, but will never initiate a proposal, unlike 600, 1100, 1200R and VPN-1 Edge Appliances that do support initiating IKE propositions over NAT-T.
The NAT-T initiator capability was introduced in R80.10 by adding the offer_nat_t_initator kernel parameter but by default it is disabled.
- Starting from R81 Jumbo Hotfix Take 36, this parameter is enabled by default
- Before this, to enable/disable it per gateway, use GuiDbEdit:
- It is recommended to make a proper backup of Management Server or Domain Management Server.
- Close all SmartConsole windows.
- Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
- In the upper left pane, go to Table - Network Objects - network_objects.
- In the upper right pane, select the relevant Security Gateway / Cluster object.
- Press CTRL+F (or go to Search menu - Find) - paste offer_nat_t_initator - click on Find Next.
- In the lower pane, right-click on the offer_nat_t_initator - select Edit... - set the value to "true" to enable (default is "false").
- Save and exit the GuiDBedit Tool.
- Open SmartConsole and push policy.
Note:
- NAT-T initiator capability is not supported in R80.10 on VSX, as per the VPN section of sk110519.
- In R80.10, IKEv2 supports NAT-T initiator for gateways.
For pre-R80.10
Check Point Security Gateways only supports answering to NAT-T proposals from the peer side gateway when all of the following conditions are met:
- The peer gateway has to be a "dynamic" gateway without a fixed IP address.
- Certificate-based authentication must be used for the VPN community.
- The remote end has to initiate the NAT-T request.