[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vpn client through pf/nat "invalid cookie"



Well, this is not a bug but an initial requirement of the IKE RFC's. We
can discuss about it's validity, but i doubt this can be considered as a
problem with the conntivity. The nortel vpn thing do support
nat-traversal, which should fix your problem however the easiest
solution is to apply the sugestion bellow for sure.
On Thu, Jan 29, 2004 at 05:40:06AM +0000, Ryan McBride wrote:
> On Thu, Jan 29, 2004 at 12:16:44AM -0500, David Kaplowitz wrote:
> > I've been having some problems with a vpn client I use for work
> > (Nortel Contivity). The problem is: I keep getting the connection
> > dropped due to "invalid cookie". I can sometimes connect (after about
> > 5 tries), but I get booted out immediately.
> 
> The Nortel Contivity has a "broken" IKE implementation that requires the
> _source_ port of the connection to be udp/500.  You need to add another
> rule after you main nat rule(s) like the following, that forces the source
> port to 500:
> 
> nat on $EXT_IF inet proto udp $LAN to any port isakmp -> $EXT_IF port 500 
> 
> Note that this means that you can only have one client inside your
> firewall connected to that particular Contivity at any given time.
> 
> -Ryan
-- 
-> Jean-Francois Dive
--> [email protected]
  I think that God in creating Man somewhat overestimated his ability.
  -- Oscar Wilde