[Openswan Users] Openswan + NAT-T + Checkpoint NGX

Dmitriy Samovskiy dmitriy04111 at gmail.com
Mon Feb 22 14:41:34 EST 2010

Thanks for your quick reply, Paul.

>> The problem is that the tunnel gets established but it ends up using
>> regular ESP (proto 50):
>> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0xfffffff
>> <0xfffffff xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
> Did the vendorids now show that NAT-T was negotiated?

This may sound like a stupid question but how can I find it out?

With tunnels to Cisco, I sometimes see in logs "ignoring Vendor ID
payload" lines but I don't have them with Checkpoint, even with

> Does the checkpoint allow NAT-T for other clients? Or from other locations?

Checkpoint GUI has NAT-T checkbox checked, that's all I know. I doubt
they have other NAT-T tunnels but getting this fact doouble checked


More information about the Users mailing list