> Hello pf, > > I've been having some problems with a vpn client I use for work (Nortel Contivity). > The problem is: I keep getting the connection dropped due to "invalid cookie". I can > sometimes connect (after about 5 tries), but I get booted out immediately.
> > If it'll help, here's my pf.conf. > > EXT_IF = "fxp0" > EXT_AD1 = "xx.xxx.xxx.1" > EXT_AD2 = "xx.xxx.xxx.2" > EXT_AD3 = "xx.xxx.xxx.3" > > nat on $EXT_IF from $LAN to any -> $EXT_IF For posterity, this didn't have anything to do with Nortel Contivity's broken isakmp implementation in this case. It had all to do with the fact that I had 3 aliases on the NIC $EXT_IF and I was using the NAT rule: nat on $EXT_IF from $LAN to any -> $EXT_IF instead of: nat on $EXT_IF from $LAN to any -> $EXT_AD1 Apparently, while using the first rule, my outbound IP was cycling in what seemed a round-robin fashion. Changing the former rule to the latter helped in this case, as I then had a consistent outbound IP address from my LAN. And I didn't need to add the NAT/isakmp rules that were suggested earlier to my pf.conf. (My outbound rules are lax enough to let the traffic pass). Thanks for the replies to this thread. Dave -- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze
