> I find your recommendations hard to take seriously. This is not a
> vulnerability in IPSec, a good reason to disable vpn access, or anything
> like that. Just use some common sense in how you use the crypto. If you
> must use pre-shared keys, choose strong keys; or, use public keys instead
> of pre-shared keying. Surely you agree?
Third option: there are some IPSEC implementations (such as
Linksys' BEFVP41 vpn router) which blacklist the attacker's IP
for a given amount of time when wrong PSK count overpasses
a threshold. It takes an eternity to try many combinations though :)
just my .02 eurocents
--
Stefan Laudat
CCNA & CCAI
-------------
Marriage is the only adventure open to the cowardly.
-- Voltaire
