An interesting it still in Fedora?

D. Hugh Redelmeier hugh at
Thu Jun 21 16:50:44 UTC 2007

| From: Dave Ihnat <dihnat at>
| An error message from an admittedly old Linux kernel that has NO meaningful
| google hits...except some poor schmuck who asked the same question in 2005:
|   ip_masq_out_get_isakmp(): zero icookie
| WTH is a "zero icookie"?
| Yes, this is an antiquated kernel, running obsolete ipchains.  BUT
| nevertheless, I'm a little flummoxed that even the source code didn't
| show up in a google, let alone someone in all these years having run
| into it and discussing it.  Does this exist in iptables on Fedora?

ISAKMP is part of the IPSec protocol.  It is the part that negotiates
keying and other properties of "security associations" (what an
obscure term).

The ISAKMP protocol uses two "cookies" at the start of each message (UDP
500 packet) to identify which negotiation it pertains to.  One cookie
originates from each side.  Cookies are not allowed to be zero except
in the first message, before the other side has specified its cookie
value.  The "icookie" is probably the initiator's cookie and that
should never be zero.

I probably wrote most of the ISAKMP implementation that you are using
(Pluto, part of FreeS/WAN) if you are using IPSec on an old Linux
system.  Many people now use Raccoon instead.  I don't know anything
about masquarading ISKAMP (yuck).

Are you intentionally using IPsec?  Trying to Masquarade it?  Or is
this some kind of accident (eg. a random UDP 500 message being caught by 

Here's an old HowTo that might be useful (I've not tried it).

More information about the fedora-list mailing list