When Check Point Security Gateway initiates a VPN tunnel with a 3rd Party peer, NAT-T is forced because it leaves the first interface IP address in NAT-D payload. The SA is established on UDP port 4500, and then VPN traffic fails.

When the 3rd Party peer gateway initiates the VPN tunnel, NAT-T is not used. The SA is established on UDP 500, and VPN works fine.

In vpnd.elg, it shows that the gateway uses the first external interface, and peer responds with UDP/4500:
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: Searching for entry with key <954e14fd,6db29991,00000000,00000000>
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: Not found, will use first external interface
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.0.20, which is a member interface
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.0.21, which is a member interface
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.0.66, which is a member interface
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.0.67, which is a member interface
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.2.148, which is a member interface
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.2.149, which is a member interface
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.193.27, which is a member interface
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 10.44.193.28, which is a member interface
[vpnd PID ]@Gateway[TIME][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with IP 192.168.1.1, which is a member interface