----- Original Message -----
From: Ryan McBride <[EMAIL PROTECTED]>
Date: Thu, 29 Jan 2004 05:40:06 +0000
To: David Kaplowitz <[EMAIL PROTECTED]>
Subject: Re: vpn client through pf/nat "invalid cookie"
> On Thu, Jan 29, 2004 at 12:16:44AM -0500, David Kaplowitz wrote:
> > I've been having some problems with a vpn client I use for work
> > (Nortel Contivity). The problem is: I keep getting the connection
> > dropped due to "invalid cookie". I can sometimes connect (after about
> > 5 tries), but I get booted out immediately.
>
> The Nortel Contivity has a "broken" IKE implementation that requires the
> _source_ port of the connection to be udp/500. You need to add another
> rule after you main nat rule(s) like the following, that forces the source
> port to 500:
>
> nat on $EXT_IF inet proto udp $LAN to any port isakmp -> $EXT_IF port 500
>
> Note that this means that you can only have one client inside your
> firewall connected to that particular Contivity at any given time.
>
> -Ryan
Thanks for the quick reply.
I tried this rule: nat on $EXT_IF inet proto udp from $LAN to any port isakmp ->
$EXT_IF port 500
I'm still getting the same response.
pfctl -sn
nat on fxp0 inet from 192.168.0.0/24 to any -> { xx.xxx.xxx.1, xx.xxx.xxx.2
xx.xxx.xxx.3 } round-robin
nat on fxp0 inet proto udp from 192.168.0.0/24 to any port = isakmp -> { xx.xxx.xxx.1,
xx.xxx.xxx.2 xx.xxx.xxx.3 } port 500 round-robin
rdr pass on fxp0 inet proto tcp from any to 66.92.234.214 port = domain -> 192.168.1.2
port 53
rdr pass on fxp0 inet proto udp from any to 66.92.234.214 port = domain -> 192.168.1.2
port 53
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
