[ previous ] [ next ] [ threads ]
 
 From:  Jim Thompson <jim at netgate dot com>
 To:  Bradley Van Peursem <bradley at itelework dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Multiple Vulnerability Issues in Implementations of ISAKMP Protocol
 Date:  Tue, 15 Nov 2005 02:07:31 -1000
You probably want to turn
*Negotiation mode:* Aggressive
off. (That is, you want Negotiation mode: Main)

If you can install packet filters toward the IPSEC peer, that helps too.

The m0n0 documentation probably needs a bit of an update this:

> Negotiation mode: This is the type of authentication security that 
> will be used. Unless you are under close watch by someone with 
> paranormal like craziness, just leave this as aggressive. It is indeed 
> far faster and will insure that your VPN tunnel will rebuild itself 

> down when the resource on the other end was requested. (more about 
> that under Lifetime)


found on: http://doc.m0n0.ch/handbook/ipsec-tunnels.html

probably needs updating to reflect the new information.
http://www.uniras.gov.uk/niscc/docs/br-20051114-01013.html?lang=en

Jim

Bradley Van Peursem wrote:

>Does this newly publicized ISAKMP IPSEC flaw affect monowall?
> 
>May be a dumb question, but did not know the answer. 
>
>  
>