| From: Dave Ihnat <dihnat@xxxxxxxxxx> | | An error message from an admittedly old Linux kernel that has NO meaningful | google hits...except some poor schmuck who asked the same question in 2005: | | ip_masq_out_get_isakmp(): zero icookie | | WTH is a "zero icookie"? | | Yes, this is an antiquated kernel, running obsolete ipchains. BUT | nevertheless, I'm a little flummoxed that even the source code didn't | show up in a google, let alone someone in all these years having run | into it and discussing it. Does this exist in iptables on Fedora? ISAKMP is part of the IPSec protocol. It is the part that negotiates keying and other properties of "security associations" (what an obscure term). The ISAKMP protocol uses two "cookies" at the start of each message (UDP 500 packet) to identify which negotiation it pertains to. One cookie originates from each side. Cookies are not allowed to be zero except in the first message, before the other side has specified its cookie value. The "icookie" is probably the initiator's cookie and that should never be zero. I probably wrote most of the ISAKMP implementation that you are using (Pluto, part of FreeS/WAN) if you are using IPSec on an old Linux system. Many people now use Raccoon instead. I don't know anything about masquarading ISKAMP (yuck). Are you intentionally using IPsec? Trying to Masquarade it? Or is this some kind of accident (eg. a random UDP 500 message being caught by ipchains)? Here's an old HowTo that might be useful (I've not tried it).
