[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

vpn client through pf/nat "invalid cookie"



Hello pf,
I've been having some problems with a vpn client I use for work (Nortel Contivity). The problem is: I keep getting the connection dropped due to "invalid cookie". I can sometimes connect (after about 5 tries), but I get booted out immediately.
I thought it was the VPN client, or the setup of my work's firewall, but it was suggested I connect my laptop directly to my DSL modem to test and it actually worked, I connected fine. I got stuck the other day and needed to dial in so I reinstalled OpenBSD on my firewall (I know very lame, but I had to do something to dial into work). And that worked. Sadly, tonight (after 2 days) this "invalid cookie" started happening again, and I don't want to have to do something so extreme for my work vpn.
Anyway, my question is, what kind of session cache might my pf be keeping that's causing this? And more importantly, what can I clear out from my pf box that will clear anything that might be temporarily stored and causing this kind of error?
Thanks for any help.
Dave
If it'll help, here's my pf.conf. The laptop's on the NAT'ed LAN portion and it gets an IP from one of 2 dhcp servers. I've tried giving the laptop a static IP, but that didn't help either.
EXT_IF = "fxp0"
LAN_IF = "xl0"
DMZ_IF = "fxp1"
LOO_IF = "lo0"
EXT_AD1 = "xx.xxx.xxx.1"
EXT_AD2 = "xx.xxx.xxx.2"
EXT_AD3 = "xx.xxx.xxx.3"
LAN   = "192.168.0.0/24"
DMZ   = "192.168.1.0/24"
DNS1  = "192.168.1.2"
WWW1  = "192.168.1.3"
DNS_PR    = "{tcp, udp}"
WWW_PR    = "{tcp}"
SMTP_PR   = "{tcp}"
FTP_PR    = "{tcp}"
NNTP_PR   = "{tcp}"
set block-policy return
set loginterface $EXT_IF
scrub log all
nat on $EXT_IF from $LAN to any -> $EXT_IF
nat on $EXT_IF from $DMZ to any -> $EXT_IF
rdr pass on $EXT_IF proto $DNS_PR from any to $EXT_AD1 port 53 -> $DNS1 port 53
# rdr pass on $EXT_IF proto tcp from any to $EXT_AD2 port 80 -> $WWW1 port 80
block in log on $EXT_IF all
block out log on $EXT_IF all
antispoof for $EXT_IF inet
pass in quick on $LOO_IF  all
pass in on $EXT_IF proto icmp all
pass out on $EXT_IF proto icmp all
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port ssh keep state
pass in on $EXT_IF inet proto $DNS_PR from any to $EXT_AD1 port 53 keep state
# pass in on $EXT_IF inet proto tcp from any to $EXT_AD2 port www keep state
pass out on $EXT_IF inet proto { tcp, udp } all keep state
pass out on $EXT_IF inet proto tcp keep state
-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze