[ previous ] [ next ] [ threads ]
 From:  Jim Thompson <jim at netgate dot com>
 To:  Bradley Van Peursem <bradley at itelework dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Multiple Vulnerability Issues in Implementations of ISAKMP Protocol
 Date:  Tue, 15 Nov 2005 02:07:31 -1000
You probably want to turn
*Negotiation mode:* Aggressive
off. (That is, you want Negotiation mode: Main)

If you can install packet filters toward the IPSEC peer, that helps too.

The m0n0 documentation probably needs a bit of an update this:

> Negotiation mode: This is the type of authentication security that 
> will be used. Unless you are under close watch by someone with 
> paranormal like craziness, just leave this as aggressive. It is indeed 
> far faster and will insure that your VPN tunnel will rebuild itself 
> quickly and probably won’t time out an application if the tunnel was 
> down when the resource on the other end was requested. (more about 
> that under Lifetime)

found on: http://doc.m0n0.ch/handbook/ipsec-tunnels.html

probably needs updating to reflect the new information.


Bradley Van Peursem wrote:

>Does this newly publicized ISAKMP IPSEC flaw affect monowall?
>May be a dumb question, but did not know the answer.