[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: vpn client through pf/nat "invalid cookie"
On Thu, Jan 29, 2004 at 10:04:22AM +0100, Jean-Francois Dive wrote:
> Well, this is not a bug but an initial requirement of the IKE RFC's. We
> can discuss about it's validity, but i doubt this can be considered as a
> problem with the conntivity.
All the rfc says is that at minimum, an implementation must support
sending and recieving ISAKMP using UDP on port 500. It says nothing
about not accepting packets with different source ports:
2.5.1 Transport Protocol
ISAKMP can be implemented over any transport protocol or over IP
itself. Implementations MUST include send and receive capability for
ISAKMP using the User Datagram Protocol (UDP) on port 500. UDP Port
500 has been assigned to ISAKMP by the Internet Assigned Numbers
Authority (IANA). Implementations MAY additionally support ISAKMP
over other transport protocols or over IP itself.