VPN Flaw Allows Denial of Service
An anonymous reader writes "Finnish researchers at the University of Oulu have found a vulnerability in ISAKMP (Internet Security Association and Key Management Protocol) -- the technology used in IPsec virtual private network and firewall products from a range of networking companies, including Cisco and Juniper Networks. Cisco said the security flaw could cause devices to reset over and over, which could cause a temporary denial-of-service attack. It did not mention the possibility of the device being taken over by an intruder, while Juniper said it has been aware of the problem since June, so software issued on or after July 28 provide fixes for the flaw."
We have been running IPsec on Cisco routers for quite some time.
We have always had an explicit allow list for isakmp packets only for the known peers, and a deny with logging for all other sources.
Over the years, there have been only very few logged packets. No need to tell you how many NETBIOS and other wellknown exploitable service packets have been counted (we don't even log these).
It does not look like IPsec is a popular attack vector. Same for PPTP, by the way.