The checkpoint sk article isn't that helpful... what it should say is... If you have your encryption domain set as "defined by topology", then check your topology!
CheckPoint: "Encryption Failure: according to the policy the packet should not have been decrypted."