Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Encryption Failure: according to the policy the packet should not have been decrypted

Jump to solution

Hello guys 🙂

 

We are trying to implement a site to site VPN, and we are getting the "Encryption Failure: according to the policy the packet should not have been decrypted" error message. 

 

I would like to know if you have some recommendations about it, and if it's rather good to open an SR to check this, 

 

The details are:

 

Error message:

checkmates_004.png

 

Domains:

Local domain

172.18.8.0/24

checkmates_001.png

checkmates_005.png

Remote Domain

172.20.1.0/24

 

checkmates_002.png

 

Local and remote domains on the other company side:

 

checkmates_003.png

 

Recent troubleshooting details:

 

1.- We checked that remote network is configured on the antispoofing interface exceptions.

2.- As showed on the latest images, domain configuration matches on both sides

3.- Configured on Gaia remote network routes:

 

checkmates_006.png

3.1.- In fact, despite the static route, a show route destination against the remote network shows de default route (Internet) as next hop:

checkmates_007.png

4.- We have tried using and inbound NAT, but error message persists either with or without NAT.

5.- Some people at work said that the remote device (A linksys small business VPN router) might be incompatible with our R80.20 Security Gateway

6.- I have followed sk64060 recommendations, but, despite I have changed in many times the remote and local subnets, verified the encryption domain configurations, and also reseted the tunnel via SmartView Monitor and the vpn tu utility, we are still getting the same error message.

 

Thank you in advance!

 

Heine

1 Solution

Accepted Solutions
Try to get rid of all routes and NAT. Please post the output of the one liner from here https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/One-liner-to-show-VPN-topology-on...

From your Screenshots it seems to me that you used the same network group "Domino_VPN..." in your local AND the remote gateway.

View solution in original post

2 Replies
Try to get rid of all routes and NAT. Please post the output of the one liner from here https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/One-liner-to-show-VPN-topology-on...

From your Screenshots it seems to me that you used the same network group "Domino_VPN..." in your local AND the remote gateway.

View solution in original post

Highlighted

Hello Benedikt, first of all, thank you!

In fact, our customer in its local domain had the whole class B network from 172.16.0.0 to 172.31.255.255.

I realized of that after running the script that you gave me on your reply.

So, thank you again and sorry for not notice about the main cause of my issue.

Greetings!