[FW1] User@any with client encrypt VS workstation with accept

[Jason Kent <jkent@FW1-NOSPAMmainsail.com>]

Title: User@any with client encrypt VS workstation with accept

Ok... I must be missing something really really stupid....been pouring over the Checkpoint PDFs and phoneboy.. no luck...

NT 4 - FW-1 v 4.1 SP2   SecureRemote - same version from the same CD

Using SecureRemote with IKE Preshared Secrets - Setup goes fine - Site Creation is fine...

Two scenarios.. first one works, the second one doesn't
Can someone explain what else I need to make the 2nd work, give me some ideas to try ?  (i'm all out at this point)
(i also have above the below rules..an Any to Firewall IKE and RDP accept rule)

Thanks in advance for the help !

Jason

FIRST: (working)
I have the following (applicable)rules:
Any             WebServer               HTTP    Accept
pc1             enc_domain      Any     Accept
enc_domain      Any                     Any     Accept

I start Securemote on the Client and everything works great... HTTP handled by the first rule.. things like FTP and PCanywhere by the 2nd

Logs: I see The phase 1 key install and then phase 2 in both directions....then a bunch of decryption when things are working...

(It's annoying that pings don't make it intact.. but i remember reading something about that...i'll try to dig it up again)

SECOND: (broken)
I change the 2nd rule to:

User@any        enc_domain      Any     Client Encrypt

I start securemote on the client and HTTP still works fine... but FTP and PCAnywhere and anything else through the changed rule no longer function.

Logs: I see the Phase 1 Key Install..and a Phase 2 from the PC1 to the Firewall... but NEVER see Phase 2 back the other way (From the Firwall to PC1 (the client)