I have some VPN running on an all-R80.10 environment: SMS & appliances, with some interoperable objects which are Checkpoint with embedded GAIA. Really, the classical stuff: VPN communities, encryption domains, excluded services, PSK, all runs well.

If I migrate the management station from R80.10 to R80.30 without changing anything on the hub gateways, all VPN go down with the error message "According to the policy this packet shouldn't have been decrypted" for production traffic. VPN TU, installing policy, disabling acceleration, nothing solves the issue.

When I shut down the R80.30 SMS and restart the R80.10 SMS and apply policy, all VPN go up again.

As it was production, I didn't have much time to go deep. Any known procedure here? I never had the mix of R80.30 & R80.10 running VPN, but well R80.30 MGT with R77.30 or R80.20 and I didn't have those kind of VPN issues.