NAT-T Compatibility With Check Point Devices : Cohesive Networks

Some versions of Check Point firmware do not conform to NAT-T standards and are incapable of maintaining a stable connection to VNS3 devices with NAT-T enabled. In some cases the connection will "flip" from Native IPsec to NAT-T, causing a mismatch and breaking connectivity. Since R80.10, NAT-T is workable, although the flipping issue persists.

In both cases, forcing NAT-T enabled or disabled using Check Point's GuiDBedit tool can resolve the issue. In earlier versions, only NAT-T disabled will work; in versions since R80.10, either option will work so long as is it forced in this way.

Once GuiDBedit is open (see http://supportcontent.checkpoint.com/solutions?id=sk13009), the process for setting the relevant variables is this:

- In the left pane, click TABLE > Network Objects > network_objects

- In the right pane, select the relevant gateway object

- In the bottom pane, see "VPN"

- Set all three of these variables to either "true" or "false": offer_nat_t_initator, offer_nat_t_responder_for_known_gw, force_nat_t

Cohesive Networks

How can we help you today?

NAT-T Compatibility With Check Point Devices Print

How can we help you today?

NAT-T Compatibility With Check Point Devices Print

Related Articles