On Thu, Jan 29, 2004 at 12:16:44AM -0500, David Kaplowitz wrote: > I've been having some problems with a vpn client I use for work > (Nortel Contivity). The problem is: I keep getting the connection > dropped due to "invalid cookie". I can sometimes connect (after about > 5 tries), but I get booted out immediately.
The Nortel Contivity has a "broken" IKE implementation that requires the _source_ port of the connection to be udp/500. You need to add another rule after you main nat rule(s) like the following, that forces the source port to 500: nat on $EXT_IF inet proto udp $LAN to any port isakmp -> $EXT_IF port 500 Note that this means that you can only have one client inside your firewall connected to that particular Contivity at any given time. -Ryan
