Hi Gary, My experience with site-2-site VPN between CP NGx R61 with HFA_01 and Cisco IOS device is that even though I explicitly configured the Cisco device for NAT-T (crypto ipsec udp-encapsulation) and that the cisco IOS device sits behind a Pix firewall doing static NAT for the Cisco IOS device. I also configured the Checkpoint for "udp encapsulation" as well.
With all that, I do not see udp-4500 traffics, only ESP traffics which tells me that there is no NAT-T traffics. In other words, even with a NAT device in between, Checkpoint didn't do any NAT-T. Maybe it does but only with other Checkpoint devices. Gary Scott <[EMAIL PROTECTED]> wrote: Hi guys, can anyone help shed some light on NAT-T? From what I have read and experienced CP will only agree to do NAT-T in a site to site tunnel if it detects a NAT device, the other side is the initiator and you have selected to support this. If the other side is insisting on doing NAT-T even though there is no NAT device (I'm still trying to determine the desire to do NAT-T when not really needed) the IKE phase 1 negotiation will fail. You can support NAT-T but you can not force it. I think this is expected behavior. Thanks, -GS ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Shape Yahoo! in your own image. Join our Network Research Panel today! ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
