Recently, whilst setting up Site-to-Site VPN with a partner company we saw an issue where the VPN tunnel came up successfully, but the connections allowed by the associated firewall rules failed.
The Check Point tracker logs showed the packets being dropped, and the following information:
encryption failure: According to the policy the packet should not have been decrypted
This is caused by a mis-match in the networks defined in either side’s Encryption Domains. A quick check revealed that the networks that the partner company was attempting to connect to were missing from the ED on our side of the tunnel.
Follow Rich on Twitter