I'm having huge problems connecting a remote office to our main office via Securemote and FW-1. Remote office uses a D-link 804 router/firewall with NAT (Using 192.168 etc. inside).
The problem is, that if one user connects and authenticates via Securemote (IKE) it will work perfectly.But when the second user tries to connect, he will authenticate, but key exchange never happens. Could it be limitations on the D-Link that causes the problems, or is it the nat'ing in general that fubars it all? Anyone had these problems and solved them?
What you want is to setup to force "UDP encapsulation" on the firewall. It is much easier to set this up with Checkpoint NG (ie point-and-click with support NAT-traversal UDP encapsulation). However, in Checkpoint 4.1S5a, you have to mannually edit the objects.C file:
1) logoff the policy,
2) On the manager, cd $FWDIR/conf
3) vi into the objects.C file
4) search for "qm",
5) change the qm_idle from "false" to "true", like: "udp_encapsulation_by_qm_id (true)"
6) You may want to the "force gateway udp encapsulation" from false to true as well
7) log back into the policy,
8) push the policy,
9) Now everything should work.
Last but not least, I would say upgrade your firewall from 4.1sp5a to NG-AI R55 with HFA002. That way, if you need edit something, you can use "dbedit" instead of manually editing the objects.C file.
