Maybe someone can give me a hind to disenchant the magic situation:
I have to connect a Fortigate 200B Firewall (our datacenter) with Checkpoint 1590 Appliance (branch office) by using IPsec VPN. The Checkpoint Firewall have to deal with NAT. For easy management in the test enviorment I have connect the checkpoint over a management VLAN on interface LAN1. Managemend will be done with MDS version 80.40
The VPN terminates on a own interface at LAN4.
I configured the VPN and it works until I not use NAT on Checkpoint.
When I using NAT then sometimes packages don't use the way over the tunnel. From time to time, they don't use the NAT rules and use the way over the management interface. I checked it with running a ping from the branch test client. When the packages try to use the wrong way I checked the VPN tunnels, but they seems to be active (checked on Fortigate and on Checkpoint site by command "vpn tu". Also the log from 'vpn debug ikeon' shows no problem in my point of view.
When I switch back configuration and no NAT is using at branch site, then all is fine. Connection is stable and all packages for the VPN are using it.
On the first view it looks like the VPN is collapsed. But why the Fortigate and 'vpn tu' command shows the tunnel activ? Or should I not be fast enough and the tunnel is restored quickly? Are 'vpn debug ...' and 'vpn tu' the only options on Checkpoint site to check VPN tunnel status?