Re: [m0n0wall] Multiple Vulnerability Issues in Implementations of ISAKMP Protocol

From:	Jim Thompson <jim at netgate dot com>
To:	Bradley Van Peursem <bradley at itelework dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Multiple Vulnerability Issues in Implementations of ISAKMP Protocol
Date:	Tue, 15 Nov 2005 02:07:31 -1000

You probably want to turn
*Negotiation mode:* Aggressive
off. (That is, you want Negotiation mode: Main)

If you can install packet filters toward the IPSEC peer, that helps too.

The m0n0 documentation probably needs a bit of an update this:

> Negotiation mode: This is the type of authentication security that 
> will be used. Unless you are under close watch by someone with 
> paranormal like craziness, just leave this as aggressive. It is indeed 
> far faster and will insure that your VPN tunnel will rebuild itself 
> quickly and probably won’t time out an application if the tunnel was 
> down when the resource on the other end was requested. (more about 
> that under Lifetime)

found on: http://doc.m0n0.ch/handbook/ipsec-tunnels.html

probably needs updating to reflect the new information.
http://www.uniras.gov.uk/niscc/docs/br-20051114-01013.html?lang=en

Jim

Bradley Van Peursem wrote:

>Does this newly publicized ISAKMP IPSEC flaw affect monowall?
> 
>May be a dumb question, but did not know the answer. 
>
>  
>