Short story: Home LAN - SuSEfirewall2 System (SuSE 8.1 via DSL) - internet - Checkpoint FW - Companies LAN [snip] I installed the software, checked the Checkpoint website for information how to configure an iptables fw, and I think I did it: the neccessary ports are udp 50, udp 51, udp 500 & udp 2746. So I added the lines: FW_FORWARD="212.212.212.212/32,192.168.10.100/24,udp,50 212.212.212.212/32,192.168.10.100/24,udp,51 \ 212.212.212.212/32,192.168.10.100/24,udp,500 212.212.212.212/32,192.168.10.100/24,udp,2746" FW_FORWARD_MASQ="212.212.212.212/32,192.168.10.100/24,udp,50 212.212.212.212/32,192.168.10.100/24,udp,51 \ 212.212.212.212/32,192.168.10.100/24,udp,500 212.212.212.212/32,192.168.10.100/24,udp,2746" (In both cases 212.212.212.212 is just a place holder!!! ... not the real ip adress.)

But it does not work ...... no VPN connection is established between my MS client and a system on the companies LAN. When I connect to the internet directly (eg. via an ISDN dial-up connection) it works fine.

IPSec doesn't like IP Masquerading. IKE can't cope with it and AH fails, too. A hack (IMHO) has been created to solve the problems that the NAT hack (IMHO again) creates for IPSec, called NAT Traversal, which encapsulates IPSec in UDP. You need NAT-aware implementations on both IPSec peers for it to work. I don't know if SecuRemote falls in that category. Cheers, Tobias