I have come upon this issue where a customer is trying to access a Network scope behind a tunnel that is terminating on a 3rd party device.
So the topology is the following
Client VPN client with remote office IP 10.1.1.2 want´s to reach Server Behind Tunnel Terminating on 3rd party firewall with IP 192.168.2.2
Checkpoint has route for 192.168.2.0/24 -> 3rd party device
3rd Party device has route to 10.1.1.0/24 -> checkpoint
Network 192.168.2.0/24 is part of Enc Domain of Checkpoint for Remote VPN
Problem is when the client tries to reach network packet is forwarded to server, return packet however is blocked by checkpoint with following error:
Dropped by vpn_verify, reason : Clear packet on encrypted connection;
I don´t understand the drop because the packet should be Clear text and only be encrypted by the checkpoint and decrypted by the client, I don´t see the difference between this and any other network access, I wondering if It has to do with the Topology since this network is not directly connected, however there is a route so it should be "known" in terms of topology.
After this I tried adding the Remote Office Pool to the Enc. Domain of the Gateway, however this simply changed the error output to:
No Decryption Message
I think the second error is because now the Gateway thinks it needs to Decrypt and it´s clear text or something..