Well, this is not a bug but an initial requirement of the IKE RFC's. We can discuss about it's validity, but i doubt this can be considered as a problem with the conntivity. The nortel vpn thing do support nat-traversal, which should fix your problem however the easiest solution is to apply the sugestion bellow for sure.
On Thu, Jan 29, 2004 at 05:40:06AM +0000, Ryan McBride wrote: > On Thu, Jan 29, 2004 at 12:16:44AM -0500, David Kaplowitz wrote: > > I've been having some problems with a vpn client I use for work > > (Nortel Contivity). The problem is: I keep getting the connection > > dropped due to "invalid cookie". I can sometimes connect (after about > > 5 tries), but I get booted out immediately. > > The Nortel Contivity has a "broken" IKE implementation that requires the > _source_ port of the connection to be udp/500. You need to add another > rule after you main nat rule(s) like the following, that forces the source > port to 500: > > nat on $EXT_IF inet proto udp $LAN to any port isakmp -> $EXT_IF port 500 > > Note that this means that you can only have one client inside your > firewall connected to that particular Contivity at any given time. > > -Ryan -- -> Jean-Francois Dive --> [EMAIL PROTECTED] I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde
