Check Point – Site To Site VPN – Encryption Domain issue

By | June 7, 2013

Recently, whilst setting up Site-to-Site VPN with a partner company we saw an issue where the VPN tunnel came up successfully, but the connections allowed by the associated firewall rules failed.

The Check Point tracker logs showed the packets being dropped, and the following information:


encryption failure: According to the policy the packet should not have been decrypted


This is caused by a mis-match in the networks defined in either side’s Encryption Domains.  A quick check revealed that the networks that the partner company was attempting to connect to were missing from the ED on our side of the tunnel.



Follow Rich on Twitter

Leave a Reply

Your email address will not be published. Required fields are marked *