Checkpoint VPN Error: According to the policy the packet should not have been decrypted

checkpoint_logI encountered an issue recently while trying to allow access to a new subnet over an existing VPN. The far end device was a Cisco router, and had an access list matching an entire class A subnet which was applied to the crypto map. The traffic destined for the new subnet was arriving at our firewall, and showing in the logs as dropped, with the error:

According to the policy the packet should not have been decrypted

I found a few things on the internet, but the solution wasn’t immediately clear. Firstly, here are the rules (as I understand them) of a Checkpoint VPN:

When the firewall receives a packet, before it even looks at the rule base, it looks at whether any VPN encryption / decryption is required.

If the packet is not already encrypted:

  • If the source address is not in a peer’s encryption domain, and the destination address is not in the local encryption domain, or
  • If the source address is not in the local encryption domain, and the destination address is not in a peer’s encryption domain, then pass the packet without encryption.
  • If the source address is in a peer’s encryption domain, and the destination is in the local encryption domain then the packet should have been encrypted. Drop with the message “Received a cleartext packet within an encrypted connection”
  • If the source address is in the local encryption domain, and the destination is in a peer’s encryption domain, then flag the packet to be encrypted and sent to that peer.

If the packet is encrypted:

  • If the source address is in a peer’s encryption domain, and the destination is in the local encryption domain, then decrypt the packet.
  • If the source address is not in a peer’s encryption domain, OR the destination address is not in the local encryption domain, drop the packet with the message “According to the policy the packet should not have been decrypted”

So with that in mind, it means that the encryption domains from the Checkpoint firewall’s perspective are incorrect.

This can be changed in Smart Dashboard – and here is what to check:

To check the remote encryption domain:

Select the relevant VPN tab, and choose Satellite Gateways. Click Edit.

Select Topology, and find the group for the Manually defined VPN domain. Make sure that this group contains all of the remote subnets, including the source address of the traffic causing the error.

 To check the local encryption domain:

Open up the relevant firewall (cluster) under Network Objects / Check Point.

Select Topology. Under the Manually Defined VPN domain, make sure that this group object contains the local subnets – including the destination address of the traffic causing the error.

 

I hope someone finds this helpful, let me know if it’s of use!

Posted in Checkpoint and tagged , .

2 Comments

  1. Thanks, this helped me.
    The error was this, as you mentioned : “Select Topology. Under the Manually Defined VPN domain, make sure that this group object contains the local subnets – including the destination address of the traffic causing the error.”

    It said Manually defined and then the wrong group that didn’t have all the subnets included. We updated the group and now it’s working.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.