In versions R77.30 and lower, Check Point Security Gateways did not support initiating IKE proposals over NAT-T.

A Security Gateway accepts and supports proposals for industry-standard UDP encapsulation over the UDP port 4500, but never initiates a proposal.

Note - The SMB Appliances 600, 1100, 1200R, and the VPN-1 Edge Devices do support initiating IKE propositions over NAT-T.

Background

The NAT-T initiator capability was introduced in the R80.10 version.

You can control the Security Gateway behavior with the offer_nat_t_initator parameter in the Security Gateway object properties.

Parameter Value	Security Gateway Behavior	Notes
false	Security Gateway does not initiate IKE proposals over NAT-T.	This is the default value in: R81 Jumbo Hotfix - Take 29 and lower R80.40 Jumbo Hotfix - Take 118 and lower R80.30 Jumbo Hotfix - Take 236 and lower R80.20 R80.10
true	Security Gateway initiates IKE proposals over NAT-T.	This is the default value in (see VPNS2S-2235): R81.10 and higher R81 Jumbo Hotfix - from Take 34 R80.40 Jumbo Hotfix - from Take 119 R80.30 Jumbo Hotfix - from Take 237

Configuration

To change the value of the parameter:

1. Connect with SmartConsole to the Security Management Server / applicable Domain Management Server.

2. In the top left corner, click Menu > Database Revision Control > create a revision snapshot.

   Note: Database Revision Control is not supported for VSX objects (sk65420) and Endpoint Security Servers.

   In addition, refer to:

   • sk108902 - Best Practices - Backup on Gaia OS
   • sk91400 - System Backup and Restore feature in Gaia
   • sk98153 - How to take a snapshot of Endpoint Security Management Server database

3. Close all SmartConsole windows.

   Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.

4. Connect with Database Tool (GuiDBedit Tool) to the Security Management Server / Domain Management Server.

5. In the upper left pane, go to Table > Network Objects > network_objects.

6. In the upper right pane, select the Security Gateway / Cluster object.

7. Press CTRL+F (or go to Search menu > Find) > paste offer_nat_t_initator > click Find Next.

8. In the lower pane, right-click on the offer_nat_t_initator > select Edit > select the applicable value > click OK.

9. Save the changes: go to the File menu > click Save All.

10. Close the Database Tool (GuiDBedit Tool).

11. Connect with SmartConsole to the Security Management Server / Domain Management Server.

12. Install the Security Policy onto the applicable Security Gateway / Cluster.

Limitations

• Check Point Security Gateways R80.10 in VSX mode do not support NAT-T initiation (see the VPN section in sk110519).

• Check Point Security Gateways R80.10 support NAT-T initiation in IKEv2.

• Check Point Security Gateways R77.30 and lower only support answering to NAT-T proposals from the VPN peer when all of these conditions are met:

  1. The peer gateway has a dynamically assigned IP address (DAIP).
  2. VPN community uses certificate-based authentication.
  3. The peer gateway initiates the NAT-T.

Related Solutions

• sk177823 - VPN uses NAT-T after installing a Jumbo Hotfix Accumulator or an upgrade to R81.10 or higher

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.