this is a question about the fundamental operation of IKE. I have searched the web, but have struggled to find good quality documentation (inc the RFCs).
I have a fully working site-to-site VPN between an ASA and an 1800 series router. In between the 2 devices is a checkpoint firewall which is performing NAT on ASA VPN endpoint address (from a private 10.x.x.x to an Internet address). The 1800 is configured with an Internet address and has no firewall between it and the Internet (I should say this is a test setup so there is little behind the 1800).
Both devices have NAT-T DISABLED (no crypto ipsec nat-transparency udp-encaps).
As I say, this setup works fine, but in packets 5 & 6 of IKE why does the 1800 not complain about ID of the ASA (i.e. 10.x.x.x) being different from the peer address (the Internet address introduced by checkpoint NAT)?
My understanding is that this should fail peer authentication, but I'm obviously wrong. Either this check is not performed as part of peer authentication or the 2 devices are overcoming the NAT issue in some way beyond my understanding.
Any suggestions, or links to 'good' documentation would be appreciated.