Re: IPSec/L2TP VPN and packet fragment filtering security questions

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 2 Jan 2004 09:35:30 -0800

IP fragments are a way of life in the Internet.
It's better to disable this setting.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message -----
From: "Nicholas Palmer" <NICK@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, January 02, 2004 09:06
Subject: [isalist] IPSec/L2TP VPN and packet fragment filtering security
questions


http://www.ISAserver.org

Hi all,

I've got a question about setting up and IPSec/L2TP VPN and ISA
filtering fragmented packets.  I have setup my VPN and it works fine
using PPTP.  So I setup the certificates and put them on the server and
the client and then tried to make a IPSec/L2TP connection from the
client and it failed and the event log said that the reason for failure
was a negotiation timeout.

Using network monitor I was able to trace the packets going back and
forth and appeared that after the intiial communication, there was a
fragmented packet.  This seemed to happen repeatedly until the
connection gave up.  So I searched the web and found that when using
ISA, you have to disable fragmented packet filtering for IPSec/L2TP
connections to work.  So my first question is, is this true ?

My second question is, is does disabling fragmented packet filtering a
bad thing to do ?  Does it reduce my level of security ?

Thanks
Nick.

____________________
Nicholas Palmer
KCI Computing, Inc.
(nick@xxxxxxxxxxx)
310.921.6222





------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



Other related posts: