How to enable IKE over TCP in Firewall-1 4.1 SP4+ and NG+

The user may find it impossible to use SecuRemote from a location where the IP attributed by the ISP is a Hide NATed address. This is because IKE negotiations involve sending UDP packets which under certain conditions generate multiple IP fragments. NAT devices used by ISPs are unable to properly translate IP fragments, which leads to the loss of these packets.
You can overcome this problem by configuring VPN-1/FireWall-1 to conduct Phase 1 IKE negotiations over TCP instead of UDP, as follows:

In the Default Key Scheme window (on the SecuRemote Client), click Advanced Settings.
Check 'Support IKE over TCP'.
Define a rule that allows the ike_tcp service (TCP port 500) to the VPN/FireWallModule.
If they exist, rename objects.C.bak and objects.C.sav or delete them.
Backup the objects.C file before editing and either add this line to :props ':desktop_site_default_tcp_ike (true)' (which enables IKE over TCP on all gateways managed by the Management Server) or this line ':supports_tcp_ike (true)' (for a specific gateway object).
For example:

        :props (

                 :desktop_site_default_tcp_ike (true)
                 :fwldap_RequestTimeout (20)
                 :fwldap_SizeLimit (10000)
                 :fwldap_CacheTimeout (900)

Push the policy and then stop/start the module.

Note: In NG the line is already within objects_5_0.C but it is set to (false).

< back