Sounds like your ike/udp is fragmenting somewhere between the client
and your firewall. This almost always occurs with x.509 certificate
authentication as the cert is too big for a standard Ethernet frame
and dropeed by many cable/dsl routers. Try using ike/tcp. On your
gateway(s) enable support IKE over TCP in global properties and by
enable the following on in SecureClient for your sites profile:

+ Connectivity enhancements
+ Use NAT traversal tunneling
- IKE over TCP
- Force UDP encapsulation

David


-----Original Message-----
From: QTR [mailto:tmwhitm@gmail.com]
Sent: Wednesday, 13 July 2005 12:09 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Checkpoint VPN


Hello, I was wondering if someone could point me in the right
direction. I have come off a long run of managing Cyberguard
firewalls and am now in the Checkpoint realm, so forgive my ignorance.
I am having an issue with secure client. I have several SoHo users
whose default routers place them on a 172.16.0.0 network. These users
cannot connect to the gateway. Dumps on the checkpoint fw gateway
show no incoming packets and a dump on the client show udp 500 leaving
the client, which leads me to the router/firewall @ the SoHo. Router
makes vary, anywhere from 2wire to netgear, the result is the same. I
initially thought it had something to do with the routing topology
since our topology pushes a static route for a 172 network, but I had
the SoHo router changed to a 10 network that is statically routed in
the topology and that worked fine. At this point I am at a loss. Any
suggestions would be appreciated.

Thank you,
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards