There are two ways to identify interesting traffic for VPN tunnel encryption on a Check Point: domain-based VPN and route-based VPN. Other than how the subnets/Proxy-IDs are negotiated (usually specific subnets for domain-based VPNs and a "universal tunnel" which is double 0.0.0.0/0's for route-based VPN), the underlying VPN tunnel created is exactly the same no matter which technique you use. It goes something like this:
1) Traffic must be accepted by the Firewall/Network policy layer first
2) If the source IP address is in the firewall's VPN domain AND (not or) the destination IP address is in the VPN domain of a peer, the traffic is interesting and will be encrypted; we do not proceed to step 3. If the traffic is not determined to be interesting by the domains, proceed to step 3.
3) If next hop of an IP route leads to a VTI (VPN Tunnel Interface) associated with a VPN tunnel, the routed traffic is interesting and will be encrypted. If the next hop leads to a regular interface (i.e. eth0) the traffic is not interesting and is sent in the clear.
Usually when employing route-based VPNs, the VPN domains are deliberately left empty but this is not strictly required as long as you understand that if the domains match interesting traffic it will be encrypted no matter what route-based VPN says.
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com