encryption failure: According to the policy the packet should not have been decrypted
When trying to establish a VPN tunnel you may find that the tunnel is built but you receive the error message :
This can be down to either :
- Overlapping encryption domains for that of the local and remote endpoints.
- The local and remote encryption domains added to either end are the wrong way round.
- Routing issues causing the non-encapsulated traffic to hit the Check Point outside of the VPN tunnel.
- Missing NAT rules
Additional Notes :
You may see the unencrypted traffic on the inbound interface (or to be more specfic the 1st Inspection point of the Inbound VPN-1 Kernel / the small "i"). This can cause confusion as it will appear that the remote peer is sending the traffic to you unencypted, even though this is not the case as the problem is down to the 3 points listed above.
Tags: Check Point