Hi @ramawatar and @PhoneBoy
I am also facing similar issue.
My observation is, in continuous ongoing security parameter negotiations, whenever AWS end negotiates tunnel with NAT-T (4500), tunnel shows UP but no data traverse through tunnel.
(As per few secure knowledge checkpoint only responds for NAT-T negotiation but never initiate negotiation with NAT-T)
fw ctl zdebug + drop | grep <AWS_gateway> gives decryption failed. (A = My End. B= AWS End.)
I am using BGP protocol to control routing.
BGP TCP handshake not getting complete when IKE negotiation shown IKE NAT-T (4500).
But fw monitor shows my end try to send bgp messages through tunnel and even initial packet comes through aws end but TCP complete connection not happening.
[vs_0][fw_22] eth3-01:i[60]: 169.254.A.A -> 169.254.B.B (TCP) len=60 id=10285
TCP: 45645 -> 179 .S.... seq=2ab5fb15 ack=00000000
[vs_0][fw_22] vpnt6:O[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16
[vs_0][fw_3] vpnt6:e[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16
[vs_0][fw_3] eth3-01:E[60]: 169.254.B.B -> 169.254.A.A (TCP) len=60 id=0
TCP: 179 -> 45645 .S..A. seq=808ca7b8 ack=2ab5fb16
When I am doing manual tunnel reset, checkpoint initiating tunnel, where it negotiating on 500 UDP and data starts traversing through tunnel.
Tunnels remain UP, till negotiation not happening through IKE 4500.
Currently I am experimenting to tune below gateway specific parameters to ensure negotiation of IKE 4500 should not happen. (There is no NAT device between my end and AWS)
IKE_SUPPORT_NAT_T
offer_nat_t_initator
offer_nat_t_responder_for_known_gw
force_nat_t
Advanced NAT-T Configuration
These variables are defined for each gateway and control NAT-T for site-to-site VPN: Item | Description | Default Value |
offer_nat_t_initator | Initiator sends NAT-T traffic | true |
offer_nat_t_responder_for_known_gw | Responder accepts NAT-T traffic from known gateways | true |
force_nat_t | Force NAT-T even if there is no NAT-T device | false |
Checkpoint team ( @PhoneBoy ) through my above observations please highlight and resolve any interoperability through NAT-T between checkpoint and other vendor device.