fir3net
PPS-Firenetbanner-780.5x190-30-03-17
  • Home
  • Articles
  • Firewalls
  • Check Point
  • encryption failure: According to the policy the packet should not have been decrypted

encryption failure: According to the policy the packet should not have been decrypted

When trying to establish a VPN tunnel you may find that the tunnel is built but you receive the error message :

encryption failure: According to the policy the packet should not have been decrypted

This can be down to either :

  • Overlapping encryption domains for that of the local and remote endpoints.
  • The local and remote encryption domains added to either end are the wrong way round.
  • Routing issues causing the non-encapsulated traffic to hit the Check Point outside of the VPN tunnel.
  • Missing NAT rules

Additional Notes :
You may see the unencrypted traffic on the inbound interface (or to be more specfic the 1st Inspection point of the Inbound VPN-1 Kernel / the small "i"). This can cause confusion as it will appear that the remote peer is sending the traffic to you unencypted, even though this is not the case as the problem is down to the 3 points listed above.

Tags: Check Point

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001