Thank you very much for this.

My question is related to domain-based VPN (I have called it "Policy Based" due to Azure/AWS terminoly), so if I have understood correctly, there is no any previous routing check step before encrypting traffic if it matchs with encription domains (both, source and destination address) different to what happens in Cisco, right?

For example, lets thing about a Security Gateway with three interfaces: LAN1 (192.168.1.0/24), LAN2 (192.168.2.0/24), and WAN (81.46.1.0/29) interfaces. My local encryption domain has the network 192.168.1.0/24 and I stablish a tunnel with a remote peer which has the subnet 192.168.2.0/24 included in its Encryption Domain. What happens when the IP 192.168.1.10 tries to reach 192.168.2.10?

Thinking about Cisco, this traffic would be locally routed between LAN1 and LAN2 interfaces, but according to what I have understood, in Checkpoint this traffic would be encrypted and sent through the tunnel, right? Thanks!

Domain-based VPNs on Check Point aren't really policy-based these days, there is an older mode for VPNs called "Traditional mode" where Encrypt actions were specified in the rulebase directly similar to policy-based.  Simplified VPN mode is the default today on Check Point and separates the specification and formation of VPN tunnels into VPN Community objects, while the access control for traffic traversing the tunnel is controlled in the security policy. 

But VPN Domains specify what will be encrypted, and if the domains match the traffic will be encrypted, period.  In your example you have an overlapping subnet (192.168.2.0/24) between your gateway and a peer.  Of course this will not work without NAT of the VPN traffic on both sides. 

In your example assuming that your firewall's encryption domain consisted only of 192.168.1.0/24 (if 192.168.2.0/24 exists in your firewall's domain as well the VPN will never even attempt to start), and traffic from 192.168.1.0/24 bound for 192.168.2.0/24 matched a peer's VPN domain, I suspect the IKE negotiations between your gateway and the peer would probably succeed, but because routing (inspection points Io) occurs before encryption (inspection points oO) the traffic would be encrypted then improperly dumped out the local directly-attached 192.168.2.0/24 interface trying to reach your VPN peer's routable IP address (or it may never actually be transmitted at all due to a reachability issue for the VPN peer IP).  So the tunnel will probably start fine and all IKE negotiations will succeed, but actual connectivity through the tunnel will not work due to the routing/overlap issue.  NAT on both sides ("double NAT") would need to be employed to get around this overlap situation.

The example above was just this, an example, and I really do not want to make work this scenario :-). I had these questions mostly because I want to stablish a new tunnel between two Security Gateways managed from the same SMS, and these Security Gateways already have Encryption Domains configured. The problem is that I just want to allow a specific traffic through this new tunnel but I cannot do it because I am using R80.20 and can just create one Encryption Domain per gateway. I just wanted to know if traffic going through different interfaces will be also affected if the subnets are included in the current Encryption Domain configuration.

Thank you very much for the help and detailed answers.

Yep your example was an interesting thought experiment for me.  R80.40 with its per-community VPN domains would definitely be helpful in your case.

I contacted the TAC regarding policy based VPN and they have replied that checkpoint firewalls do no support policy based VPN. Is that true? Because the central  bank in my country is trying to connect to one of the banks in India and they support only policy based VPN.

@Nima_Chogyal please provide me with the case number via personal message, so I could investigate. It might be, the TAC response was for a specific configuration you wanted to use with a route-based VPN. In general, it is supported, with some limitations.

I believe you misunderstood what they told you.  Policy based VPN is the old school "traditional mode" where encrypt and decrypt actions were specified directly in the rulebase action field.  This is not the same thing as domain-based which is employed with the newer simplified VPN mode which became default in R52 (may not have that version exactly right) via the introduction of VPN Communities.  

If I remember correctly existing policy packages that are set for traditional mode will still work in the latest releases if they are brought forward as part of an upgrade, but you are not allowed to create new policy packages in traditional mode nor change existing ones from simplified to traditional mode.  I believe this is what TAC meant by "not supported".  Just use domain-based VPN in this scenario which should be compatible.