[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vpn client through pf/nat "invalid cookie"



On Thu, Jan 29, 2004 at 12:16:44AM -0500, David Kaplowitz wrote:
> I've been having some problems with a vpn client I use for work
> (Nortel Contivity). The problem is: I keep getting the connection
> dropped due to "invalid cookie". I can sometimes connect (after about
> 5 tries), but I get booted out immediately.
The Nortel Contivity has a "broken" IKE implementation that requires the
_source_ port of the connection to be udp/500.  You need to add another
rule after you main nat rule(s) like the following, that forces the source
port to 500:
nat on $EXT_IF inet proto udp $LAN to any port isakmp -> $EXT_IF port 500 
Note that this means that you can only have one client inside your
firewall connected to that particular Contivity at any given time.
-Ryan