vpn client through pf/nat "invalid cookie"

Wed, 28 Jan 2004 22:22:17 -0800 

Hello pf,

I've been having some problems with a vpn client I use for work (Nortel Contivity). 
The problem is: I keep getting the connection dropped due to "invalid cookie". I can 
sometimes connect (after about 5 tries), but I get booted out immediately.

I thought it was the VPN client, or the setup of my work's firewall, but it was 
suggested I connect my laptop directly to my DSL modem to test and it actually worked, 
I connected fine. I got stuck the other day and needed to dial in so I reinstalled 
OpenBSD on my firewall (I know very lame, but I had to do something to dial into 
work). And that worked. Sadly, tonight (after 2 days) this "invalid cookie" started 
happening again, and I don't want to have to do something so extreme for my work vpn.

Anyway, my question is, what kind of session cache might my pf be keeping that's 
causing this? And more importantly, what can I clear out from my pf box that will 
clear anything that might be temporarily stored and causing this kind of error?

Thanks for any help.

Dave

If it'll help, here's my pf.conf. The laptop's on the NAT'ed LAN portion and it gets 
an IP from one of 2 dhcp servers. I've tried giving the laptop a static IP, but that 
didn't help either.

EXT_IF = "fxp0"
LAN_IF = "xl0"
DMZ_IF = "fxp1"
LOO_IF = "lo0"

EXT_AD1 = "xx.xxx.xxx.1"
EXT_AD2 = "xx.xxx.xxx.2"
EXT_AD3 = "xx.xxx.xxx.3"
LAN   = "192.168.0.0/24"
DMZ   = "192.168.1.0/24"
DNS1  = "192.168.1.2"
WWW1  = "192.168.1.3"

DNS_PR    = "{tcp, udp}"
WWW_PR    = "{tcp}"
SMTP_PR   = "{tcp}"
FTP_PR    = "{tcp}"
NNTP_PR   = "{tcp}"

set block-policy return
set loginterface $EXT_IF

scrub log all

nat on $EXT_IF from $LAN to any -> $EXT_IF
nat on $EXT_IF from $DMZ to any -> $EXT_IF

rdr pass on $EXT_IF proto $DNS_PR from any to $EXT_AD1 port 53 -> $DNS1 port 53
# rdr pass on $EXT_IF proto tcp from any to $EXT_AD2 port 80 -> $WWW1 port 80

block in log on $EXT_IF all
block out log on $EXT_IF all

antispoof for $EXT_IF inet

pass in quick on $LOO_IF  all

pass in on $EXT_IF proto icmp all
pass out on $EXT_IF proto icmp all

pass in on $EXT_IF inet proto tcp from any to $EXT_IF port ssh keep state

pass in on $EXT_IF inet proto $DNS_PR from any to $EXT_AD1 port 53 keep state
# pass in on $EXT_IF inet proto tcp from any to $EXT_AD2 port www keep state

pass out on $EXT_IF inet proto { tcp, udp } all keep state
pass out on $EXT_IF inet proto tcp keep state
-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

Reply via email to