encryption failure: According to the policy the packet should not have been decrypted

When trying to establish a VPN tunnel you may find that the tunnel is built but you receive the error message :

encryption failure: According to the policy the packet should not have been decrypted

This can be down to either :

  • Overlapping encryption domains for that of the local and remote endpoints.
  • The local and remote encryption domains added to either end are the wrong way round.
  • Routing issues causing the non-encapsulated traffic to hit the Check Point outside of the VPN tunnel.
  • Missing NAT rules

Additional Notes :
You may see the unencrypted traffic on the inbound interface (or to be more specfic the 1st Inspection point of the Inbound VPN-1 Kernel / the small “i”). This can cause confusion as it will appear that the remote peer is sending the traffic to you unencypted, even though this is not the case as the problem is down to the 3 points listed above.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial