https://community.checkpoint.com/t5/SASE-and-Remote-Access/site-to-site-vpn/m-p/179425#M5102 <P>Hello,</P><P>&nbsp;</P><P><SPAN>We're trying to implement a site-to-site VPN, and i get the error&nbsp; "</SPAN><SPAN>Encryption Failure: according to the policy the packet should not have been decrypted</SPAN><SPAN>".</SPAN></P><P>We tried the url:</P><P>URL 1 : <A href="https://support.checkpoint.com/results/sk/sk64060" target="_blank">https://support.checkpoint.com/results/sk/sk64060</A></P><P>URL 2 : <A href="https://support.checkpoint.com/results/sk/sk97612" target="_blank">https://support.checkpoint.com/results/sk/sk97612</A></P><P>We tried the solution of url 1 and 2 it doesn't work despite having vpn enabled on both sides.</P><P>We have tried using and inbound NAT, but error message persists.</P><P>Client A has shophs gateway and client B has checkpoint r80.40 gateway.</P><P>Have you encountered this problem before? And how did you solve this?</P><P>&nbsp;</P><P>Thx</P> Fri, 28 Apr 2023 14:11:10 GMT Oussa 2023-04-28T14:11:10Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/site-to-site-vpn/m-p/179425#M5102 <P>Hello,</P><P>&nbsp;</P><P><SPAN>We're trying to implement a site-to-site VPN, and i get the error&nbsp; "</SPAN><SPAN>Encryption Failure: according to the policy the packet should not have been decrypted</SPAN><SPAN>".</SPAN></P><P>We tried the url:</P><P>URL 1 : <A href="https://support.checkpoint.com/results/sk/sk64060" target="_blank">https://support.checkpoint.com/results/sk/sk64060</A></P><P>URL 2 : <A href="https://support.checkpoint.com/results/sk/sk97612" target="_blank">https://support.checkpoint.com/results/sk/sk97612</A></P><P>We tried the solution of url 1 and 2 it doesn't work despite having vpn enabled on both sides.</P><P>We have tried using and inbound NAT, but error message persists.</P><P>Client A has shophs gateway and client B has checkpoint r80.40 gateway.</P><P>Have you encountered this problem before? And how did you solve this?</P><P>&nbsp;</P><P>Thx</P> Fri, 28 Apr 2023 14:11:10 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/site-to-site-vpn/m-p/179425#M5102 Oussa 2023-04-28T14:11:10Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/site-to-site-vpn/m-p/179429#M5103 <P>Check out below:</P> <P><A href="https://support.checkpoint.com/results/sk/sk108600" target="_blank">https://support.checkpoint.com/results/sk/sk108600</A></P> <P>Now, here is what I can tell you. Error you get, 99% of the time is related to phase 2, so something with enc. domains. Firewall is simply "telliong" you that packet SHOULD have been encrypted.&nbsp;</P> <P>I gave below to few people here in the community and it always helped. If you check these valus in guidbedit, should be set to false. It simplty implies that CP would stop presenting largest possible subnet, even though its not supposed to. Not saying it would solve your issue, but it always helps.</P> <P style="margin: 0in; font-family: Calibri; font-size: 16.0pt;">ike_enable_supernet</P> <P style="margin: 0in; font-family: Calibri; font-size: 16.0pt;">ike_p2_enable_supernet_from_R80.20</P> <P style="margin: 0in; font-family: Calibri; font-size: 16.0pt;">ike_use_largest_possible_subnets</P> <P style="margin: 0in; font-family: Calibri; font-size: 16.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 16.0pt;">By the way, if you get confused, we can always do remote session.</P> <P style="margin: 0in; font-family: Calibri; font-size: 16.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 16.0pt;">Cheers,</P> <P style="margin: 0in; font-family: Calibri; font-size: 16.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 16.0pt;">Andy</P> Fri, 28 Apr 2023 14:34:16 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/site-to-site-vpn/m-p/179429#M5103 the_rock 2023-04-28T14:34:16Z