Support Center > Search Results > SecureKnowledge Details
Check Point Security Gateway initiating an IKE negotiation over NAT-T Technical Level
Symptoms
  • Check Point Security Gateways do not propose using NAT-T during the IKE negotiation.
  • In vpnd.elg you may see:
    SwitchToNatT: Keep on using existing connection
Cause

Before R80.10, Check Point "Maintrain" Security Gateways did not support initiating IKE propositions over NAT-T.

A Security Gateway will accept and support proposals for industry UDP encapsulation behind port 4500, but will never initiate a proposal, unlike 600, 1100, 1200R and VPN-1 Edge Appliances that do support initiating IKE propositions over NAT-T.


Solution

NAT-T initiator capability introduced in R80.10, but by default it is disabled.

You can enable/disable it per gateway using GuiDbEdit application by the offer_nat_t_initator parameter.

1. It is recommended to make a proper backup of Management Server or Domain Management Server.

2. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

3. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

4. In the upper left pane, go to Table - Network Objects - network_objects.

5. In the upper right pane, select the relevant Security Gateway / Cluster object.

6. Press CTRL+F (or go to Search menu - Find) - paste offer_nat_t_initator - click on Find Next.

7. In the lower pane, right-click on the offer_nat_t_initator - select Edit... - set the value to "true" to enable (default is "false").

8. Save and exit the GuiDBedit Tool.

9. Open SmartConsole and push policy.

Note: NAT-T initiator capability is not supported in R80.10 on VSX, as per the VPN section of sk110519.

Note: In R80.10, IKEv2 supports NAT-T initiator for gateways.

 

Pre-R80.10

Check Point Security Gateways only supports answering to NAT-T proposals from the peer side gateway when all of the following conditions are met:

  • The peer gateway has to be a "dynamic" gateway without a fixed IP address.
  • Certificate-based authentication must be used for the VPN community.
  • The remote end has to initiate the NAT-T request.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment