Resolving Connectivity Issues

IPsec NAT-Traversal

NAT-T (NAT traversal or UDP encapsulation) makes sure that IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. connections stay open when traffic goes through Security Gateways or devices that use NAT.

When an IP packet passes through a network address translator device, it is changed in a way that is not compatible with IPsec. To protect the original IPsec encoded packet, NAT traversal encapsulates it with an additional layer of UDP and IP headers.

For IPsec to work with NAT traversal, these protocols must be allowed through the NAT interface(s):

  • IKE - UDP port 500

  • IPsec NAT-T - UDP port 4500

  • Encapsulating Security Payload (ESP) - IP protocol number 50

  • Authentication Header (AH) - IP protocol number 51

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., from the left navigation panel, click Gateways & Servers.

  2. Open the applicable Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object with enabled IPsec VPNSoftware BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..

  3. From the left tree, click IPsec VPN > VPN Advanced.

  4. Make sure to select Support NAT traversal (applies to Remote Access and Site to Site connections).

    NAT-Traversal is enabled by default when a NAT device is detected.

  5. Click OK.

  6. Install the Access Control Policy.

These kernel parameters are defined for each Security Gateway and control NAT-T for Site to Site VPNClosed An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN.

Item

Description

Default Value

offer_nat_t_initator

Initiator sends NAT-T traffic

For more information, see sk177823.

true

offer_nat_t_responder_for_known_gw

Responder accepts NAT-T traffic from known Security Gateways

true

force_nat_t

Force NAT-T, even if there is no NAT-T device

For more information, see sk166037.

Important - The value of this parameter must be the same for all VPN peers.

false

You can edit these parameters with Database Tool (GuiDBEdit Tool):

  1. (Recommended) Back up the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  2. Close all SmartConsole windows connected to the Management Server.

  3. Connect with Database Tool (GuiDBEdit Tool) to the Security Management Server / Domain Management Server.

  4. In the upper left pane, go to Table - Network Objects - network_objects.

  5. In the upper right pane, select the relevant Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

  6. Press CTRL + F (or go to Search menu - Find) - paste <NAME OF PARAMETER> - click Find Next.

  7. In the lower pane, right click <NAME OF PARAMETER> - click Edit... - configure the desired value.

  8. Save the changes (File menu > Save All).

  9. Close the Database Tool (GuiDBEdit Tool).

  10. Connect with SmartConsole to the Security Management Server / Domain Management Server.

  11. Install the Access Control Policy.