The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Phase-2 negotiation fails with "Reason: Wrong value for: Encapsulation Mode"
R80.10, R80.20, R80.30
Platform / Model
After upgrade to R80.x, Phase-2 negotiation fails with "Reason: Wrong value for: Encapsulation Mode".
In ike.elg, Main Mode packet 3 from peer, has NAT Discovery payload. Main Mode Packet 5 and 6 use UDP/4500 correctly. Phase-1 negotiation is successful, but phase-2 negotiation sometimes fails with NAT-T.
In vpnd.elg, you will see either (or both) lines:
[tunnel] transformsMatch: lst_first failed for trans2
[tunnel] GOT LIFE DURATION P2 (lifetype: (nil), pair- >type: 1)
Encapsulation Mode is matched only according to the VPN Community settings. However, it does not match Encapsulation Mode according to negotiation information from the peer gateway.