How to configure an L2TP/IPSec connection by using Preshared Key Authentication
来源:百度文库 编辑:神马文学网 时间:2024/05/01 08:57:05
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows o configure two Windows 2000-based Routing and Remote Access Service servers that are connected over a LAN to use an L2TP/IPSec connection with preshared Key authentication, you must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of an L2TP/IPSec connection to prevent the automatic filter for L2TP/IPSec traffic from being created.
When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSec policy.
To add the ProhibitIpSec registry value to your Windows 2000-based computer, follow these steps:
For additional information about automatic filters that are created by Windows 2000 that use CAs, click the following article number to view the article in the Microsoft Knowledge Base:248750 (http://support.microsoft.com/kb/248750/ ) Description of the automatic filter created for use with L2TP/IPSec 253498 (http://support.microsoft.com/kb/253498/ ) How to install a certificate for use with IP Security
Microsoft does not support preshared keys for L2TP/IPSec VPN or remote clients for the following reasons:
When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSec policy.
To add the ProhibitIpSec registry value to your Windows 2000-based computer, follow these steps:
- Click Start, click Run, type regedt32, and then click OK.
- Locate, and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
- On the Edit menu, click Add Value.
- In the Value Name box, type ProhibitIpSec.
- In the Data Type list, click REG_DWORD, and then click OK.
- In the Data box, type 1, and then click OK.
- Quit Registry Editor, and then restart your computer.
How to create an IPSec policy for use with L2TP/IPSec Connections by using a preshared key
Note The following procedure assumes that the ProhibitIpSec registry value is added to both Windows 2000-based Routing and Remote Access endpoint servers, and that the Windows 2000-based Routing and Remote Access endpoint servers have been restarted.- Click Start, click Run, type mmc, and then click OK.
- Click Console, click Add/Remove Snap-in, click Add, click IP Security Policy Management, click Add, click Finish, click Close, and then click OK.
- Right-click IP Security Policies on Local Machine, click Create IP Security Policy, and then click Next.
- In the IP Security Policy Name dialog box, type the name for the IP Security policy in the Name box, and then click Next.
- In the Requests for Secure Communication dialog box, click to clear the Activate the default response rule check box, and then click Next.
- Click to select the Edit Properties check box, and then click Finish.
- In the New IP Security Policy Properties dialog box, click Add on the Rules tab, and then click Next.
- In the Tunnel Endpoint dialog box, click This rule does not specify a tunnel, and then click Next.
- In the Network Type dialog box, click All network connections, and then click Next.
- In the Authentication Method dialog box, click Use this string to protect the key exchange (preshared key), type a preshared key, and then click Next.
- In the IP Filter List dialog box, click Add, type a name for the IP filter list in the Name box, click Add, and then click Next.
- In the IP Traffic Source dialog box, click A specific IP Address in the Source address box, type the Transport Control Protocol/Internet Protocol (TCP/IP) address of the source Windows 2000-based Routing and Remote Access server in the IP Address box, and then click Next.
Note The source address that is used on each Windows 2000-based Routing and Remote Access endpoint server must match. For example, if the source address is 1.1.1.1, you must use 1.1.1.1 as a source address on both Windows 2000-based Routing and Remote Access endpoint servers. - In the IP Traffic Destination dialog box, click A specific IP Address in the Destination address box, type the TCP/IP address of the destination Windows 2000-based Routing and Remote Access server, and then click Next.
Note The destination address that is used on each Windows 2000-based Routing and Remote Access endpoint server must match. For example, if the destination address is 2.2.2.2, you must use 2.2.2.2 as a destination address on both Windows 2000-based Routing and Remote Access endpoint servers. - In the IP Protocol Type dialog box, click UDP in the Select a protocol type box, and then click Next.
- In the IP Protocol Port dialog box, click From this port, type 1701 in the From this port box, click To any port, and then click Next.
- Click to select the Edit properties check box, click Finish, and then click to select the Mirrored. Also match packets with the exact opposite source and destination addresses check box in the Filter Properties dialog box.
- Click OK, and then click Close.
- In the IP Filter List dialog box, click the IP filter that you just created, and then click Next.
- In the Filter Action dialog box, click Add, and then create a new filter action that specifies which integrity and encryption algorithms will be used.
Note This new filter action must have the "Accept unsecured communication, but always respond using IPSec" feature disabled to improve security. - Click Next, click Finish, and then click Close.
- Right-click the IPSec policy that you just created, and then click Assign.
How to configure an IPSec policy to accept connections by using multiple preshared keys or CAs
After a policy is created with a filter by using a preshared Key, you must create an additional rule within the IPSec policy for other connections that require different preshared keys or CAs.For additional information about automatic filters that are created by Windows 2000 that use CAs, click the following article number to view the article in the Microsoft Knowledge Base:248750 (http://support.microsoft.com/kb/248750/ ) Description of the automatic filter created for use with L2TP/IPSec 253498 (http://support.microsoft.com/kb/253498/ ) How to install a certificate for use with IP Security
Microsoft does not support preshared keys for L2TP/IPSec VPN or remote clients for the following reasons:
- It subjects a secure protocol to a well-known nonsecure usage problem, selecting passwords. Published attacks have been shown to reveal weak preshared keys.
- It is not securely deployable. Because access to the company gateway is required by the user who is configuring a preshared key, many users will know this, and it becomes a "group preshared key." A long preshared key would almost definitely have to be written down. Individual computer access could not be revoked until the whole group had switched to a new preshared key.
- As Microsoft has documented in Help, resource kit chapters, and in Microsoft Knowledge Base article number 248711, the Windows 2000 IPSec preshared key is provided only for RFC compliance, for interoperability testing, and interoperability where security is not a concern. The preshared key is stored in the local registry which only local administrators have read access to, but local administrators have to know it and set it. Therefore, any local administrator can see it in the future or change it.
- The support cost of using a preshared key both for customers and for Microsoft would be high.
- Getting a Windows 2000-based computer certificates can be as easy as a Web page request, or even easier by using Windows 2000 Group Policy autoenrollment when the Windows 2000-based client is a member of a Windows 2000 domain. This is generally the most secure method for deploying IPSec-based VPN.
How to configure an L2TP/IPSec connection by using Preshared Key Authentication
An Illustrated Guide to IPsec
How to configure Gaim for Google Talk?
How to Configure Swiftiply with Nginx | Webfi...
How to be an expert
How to set up Restful Authentication and acts...
How to install and configure speech recognition in Windows XP
How to Create an HTML Editor Application
An introduction to personas and how(First)
An introduction to personas and how(Second)
An introduction to personas and how(Third)
How to Kick Off an Innovation Project
how to setup a basic struts project using eclipse ide
How to define a DataGrid using ListView in WPF?
Document a package using Javadoc - Real's Java How-to
How To Write A Novel Using The Snowflake Method
How to Find or Validate an Email Address
HOW TO: Turn Your 3D Designs Into Reality (an...
How to Install an Innovation Process in Your Company
How to Find or Validate an Email Address
How To Kill An OSGi Project - With 10 Questio...
Implementing an IPSEC Site to Site VPN between ISA Server 2006 Beta and Cisco PIX 501
How to add a column in a Listview dynamically using WPF
How to Win Friends and Influence People by Da...