Site to site VPN in general is sometimes magic to setup between to different vendors firewalls. In this post i gone explain a strange thing i ran in to a few weeks ago and was not able to find any answers to then searching for it.
I was setting up a new tunnel between a Checkpoint VSX (Virtual Firewall) and a Fortigate firewall. Tunnel went up on both phase 1 and phase 2 all looked fine so far. We could send traffic from Checkpoint one way in the tunnel but bbot the other. If Fortigate side sent traffic it never showed up in logs on the Checkpoint side.
After much investigation and tips from a former coworker i found out on Checkpoint side you need to add the remote networks to be exempted in anti spoofing on external interface (outside). After adding an exception group in Checkpoint for the remote subnets all started working fine.
To add an exception in Checkpoint VSX double click the node and go to Topology > External Interface > Topology > Anti spoofing on the bottom of the settings page. Create a group and add all exceptions in it and apply it in the settings. I hope this short info helps someone else online becouse i could not find any info at all about this.
Tags: Checkpoint, Fortigate, L2L, S2S, Site 2 Site, VPN, VSX