[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vpn client through pf/nat "invalid cookie"



----- Original Message -----
From: Ryan McBride <[email protected]>
Date: Thu, 29 Jan 2004 05:40:06 +0000
To: David Kaplowitz <[email protected]>
Subject: Re: vpn client through pf/nat "invalid cookie"
> On Thu, Jan 29, 2004 at 12:16:44AM -0500, David Kaplowitz wrote:
> > I've been having some problems with a vpn client I use for work
> > (Nortel Contivity). The problem is: I keep getting the connection
> > dropped due to "invalid cookie". I can sometimes connect (after about
> > 5 tries), but I get booted out immediately.
> 
> The Nortel Contivity has a "broken" IKE implementation that requires the
> _source_ port of the connection to be udp/500.  You need to add another
> rule after you main nat rule(s) like the following, that forces the source
> port to 500:
> 
> nat on $EXT_IF inet proto udp $LAN to any port isakmp -> $EXT_IF port 500 
> 
> Note that this means that you can only have one client inside your
> firewall connected to that particular Contivity at any given time.
> 
> -Ryan
Thanks for the quick reply.
I tried this rule: nat on $EXT_IF inet proto udp from $LAN to any port isakmp -> $EXT_IF port 500
I'm still getting the same response. 
pfctl -sn
nat on fxp0 inet from 192.168.0.0/24 to any -> { xx.xxx.xxx.1, xx.xxx.xxx.2 xx.xxx.xxx.3 } round-robin
nat on fxp0 inet proto udp from 192.168.0.0/24 to any port = isakmp -> { xx.xxx.xxx.1, xx.xxx.xxx.2 xx.xxx.xxx.3 } port 500 round-robin
rdr pass on fxp0 inet proto tcp from any to 66.92.234.214 port = domain -> 192.168.1.2 port 53
rdr pass on fxp0 inet proto udp from any to 66.92.234.214 port = domain -> 192.168.1.2 port 53
-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze