Check Point – Site To Site VPN – Encryption Domain issue

By | June 7, 2013

Recently, whilst setting up Site-to-Site VPN with a partner company we saw an issue where the VPN tunnel came up successfully, but the connections allowed by the associated firewall rules failed.

The Check Point tracker logs showed the packets being dropped, and the following information:


encryption failure: According to the policy the packet should not have been decrypted


This is caused by a mis-match in the networks defined in either side’s Encryption Domains.  A quick check revealed that the networks that the partner company was attempting to connect to were missing from the ED on our side of the tunnel.



Follow Rich on Twitter

Category: Check Point Security Tags: ,

About Rich Bibby

I am a Network Engineer based in Dubai in the UAE. I work mainly with Cisco, Juniper and Arista gear in the enterprise LAN, WAN and Data Centre space. Aside from route/switch/firewalling, I'm interested in open source network monitoring and management tools, and exploring the possibilities that automation and programmability bring to networking. Follow me on Twitter and GitHub

Leave a Reply

Your email address will not be published. Required fields are marked *