Some versions of Check Point firmware do not conform to NAT-T standards and are incapable of maintaining a stable connection to VNS3 devices with NAT-T enabled. In some cases the connection will "flip" from Native IPsec to NAT-T, causing a mismatch and breaking connectivity. Since R80.10, NAT-T is workable, although the flipping issue persists.
In both cases, forcing NAT-T enabled or disabled using Check Point's GuiDBedit tool can resolve the issue. In earlier versions, only NAT-T disabled will work; in versions since R80.10, either option will work so long as is it forced in this way.
Once GuiDBedit is open (see http://supportcontent.checkpoint.com/solutions?id=sk13009), the process for setting the relevant variables is this:
- In the left pane, click TABLE > Network Objects > network_objects
- In the right pane, select the relevant gateway object
- In the bottom pane, see "VPN"
- Set all three of these variables to either "true" or "false": offer_nat_t_initator, offer_nat_t_responder_for_known_gw, force_nat_t