https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-AWS-Setup/m-p/70261#M11839 <P>Have a look here:</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk64060&amp;partition=Advanced&amp;product=IPSec" data-hasqtip="28" aria-describedby="qtip-28" target="_blank">sk64060: 'Encryption Failure: <STRONG>according</STRONG> to the <STRONG>policy</STRONG> the <STRONG>packet</STRONG> <STRONG>should</STRONG> not <STRONG>have</STRONG> <STRONG>been</STRONG> decrypted' log in SmartView Tracker for VPN Tunnel Test <STRONG>packet</STRONG></A></P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk97612&amp;partition=Advanced&amp;product=IPSec" data-hasqtip="29" aria-describedby="qtip-29" target="_blank">sk97612: Site to Site VPN going down frequently with error "encryption failure: <STRONG>According</STRONG> to the <STRONG>policy</STRONG> the <STRONG>packet</STRONG><STRONG>should</STRONG> not <STRONG>have</STRONG> <STRONG>be</STRONG></A></P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106627&amp;partition=Advanced&amp;product=IPSec" target="_blank">sk106627: "<STRONG>According</STRONG> to the <STRONG>policy</STRONG> the <STRONG>packet</STRONG> <STRONG>should</STRONG> not <STRONG>have</STRONG> <STRONG>been</STRONG> <STRONG>decrypted</STRONG>" drop while using Route Based VPN</A></P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106837&amp;partition=General&amp;product=IPSec" target="_blank">sk106837: Troubleshooting Overlapping Encryption Domains Issues</A></P> Thu, 12 Dec 2019 11:19:24 GMT G_W_Albrecht 2019-12-12T11:19:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-AWS-Setup/m-p/70259#M11838 <P>Hi All</P><P>&nbsp;</P><P>We have just configured our first vpn with vti's to aws as described in sk100726.</P><P>The tunnels are up and running. Traffic from aws to our location goes through the tunnels.</P><P>So far so good. But our gw drops the packets with</P><P>"dropped by vpn_drop_and_log Reason: According to the policy the packet should not have been decrypted"</P><P>Any ideas or hints are highly appreciated!</P><P>&nbsp;</P><P>Thanx in advance</P><P>Marc</P><P>&nbsp;</P> Thu, 12 Dec 2019 10:56:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-AWS-Setup/m-p/70259#M11838 Technical_Servi 2019-12-12T10:56:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-AWS-Setup/m-p/70261#M11839 <P>Have a look here:</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk64060&amp;partition=Advanced&amp;product=IPSec" data-hasqtip="28" aria-describedby="qtip-28" target="_blank">sk64060: 'Encryption Failure: <STRONG>according</STRONG> to the <STRONG>policy</STRONG> the <STRONG>packet</STRONG> <STRONG>should</STRONG> not <STRONG>have</STRONG> <STRONG>been</STRONG> decrypted' log in SmartView Tracker for VPN Tunnel Test <STRONG>packet</STRONG></A></P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk97612&amp;partition=Advanced&amp;product=IPSec" data-hasqtip="29" aria-describedby="qtip-29" target="_blank">sk97612: Site to Site VPN going down frequently with error "encryption failure: <STRONG>According</STRONG> to the <STRONG>policy</STRONG> the <STRONG>packet</STRONG><STRONG>should</STRONG> not <STRONG>have</STRONG> <STRONG>be</STRONG></A></P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106627&amp;partition=Advanced&amp;product=IPSec" target="_blank">sk106627: "<STRONG>According</STRONG> to the <STRONG>policy</STRONG> the <STRONG>packet</STRONG> <STRONG>should</STRONG> not <STRONG>have</STRONG> <STRONG>been</STRONG> <STRONG>decrypted</STRONG>" drop while using Route Based VPN</A></P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106837&amp;partition=General&amp;product=IPSec" target="_blank">sk106837: Troubleshooting Overlapping Encryption Domains Issues</A></P> Thu, 12 Dec 2019 11:19:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-AWS-Setup/m-p/70261#M11839 G_W_Albrecht 2019-12-12T11:19:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-AWS-Setup/m-p/72053#M11840 <P>OK, we are one step further!</P><P>We fixed one problem<BR /><EM>"dropped by vpn_drop_and_log Reason: According to the policy the packet should not have been decrypted"</EM><BR />The peer name in the GAIA vpn tunnel interface and the object name in SmartConsole must exactly match!</P><P>But as I said above, we are just one stop further. We got another problem.<BR />Tunnels are still up and running.<BR />A packet from AWS to our site reaches its final destination. But the answer is dropped on the CP with<BR /><EM>"dropped by vpn_encrypt_chain Reason: Could not change connection vpn interface"</EM></P> Fri, 10 Jan 2020 13:18:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-AWS-Setup/m-p/72053#M11840 Technical_Servi 2020-01-10T13:18:48Z