Some versions of Check Point firmware do not conform to NAT-T standards and are incapable of maintaining a stable connection to VNS3 devices with NAT-T enabled.  In some cases the connection will "flip" from Native IPsec to NAT-T, causing a mismatch and breaking connectivity.  Since R80.10, NAT-T is workable, although the flipping issue persists.

In both cases, forcing NAT-T enabled or disabled using Check Point's GuiDBedit tool can resolve the issue.  In earlier versions, only NAT-T disabled will work; in versions since R80.10, either option will work so long as is it forced in this way.

Once GuiDBedit is open (see, the process for setting the relevant variables is this:

- In the left pane, click TABLE > Network Objects > network_objects

- In the right pane, select the relevant gateway object

- In the bottom pane, see "VPN"

- Set all three of these variables to either "true" or "false": offer_nat_t_initator, offer_nat_t_responder_for_known_gw, force_nat_t