[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vpn client through pf/nat "invalid cookie"



On Thu, Jan 29, 2004 at 10:04:22AM +0100, Jean-Francois Dive wrote:
> Well, this is not a bug but an initial requirement of the IKE RFC's. We
> can discuss about it's validity, but i doubt this can be considered as a
> problem with the conntivity.
All the rfc says is that at minimum, an implementation must support
sending and recieving ISAKMP using UDP on port 500. It says nothing
about not accepting packets with different source ports:
2.5.1 Transport Protocol
   ISAKMP can be implemented over any transport protocol or over IP
   itself.  Implementations MUST include send and receive capability for
   ISAKMP using the User Datagram Protocol (UDP) on port 500.  UDP Port
   500 has been assigned to ISAKMP by the Internet Assigned Numbers
   Authority (IANA). Implementations MAY additionally support ISAKMP
   over other transport protocols or over IP itself.
-Ryan