How to configure an L2TP/IPSec connection by using Preshared Key Authentication

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows o configure two Windows 2000-based Routing and Remote Access Service servers that are connected over a LAN to use an L2TP/IPSec connection with preshared Key authentication, you must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of an L2TP/IPSec connection to prevent the automatic filter for L2TP/IPSec traffic from being created.

When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSec policy.

To add the ProhibitIpSec registry value to your Windows 2000-based computer, follow these steps:

1. Click Start, click Run, type regedt32, and then click OK.
2. Locate, and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
3. On the Edit menu, click Add Value.
4. In the Value Name box, type ProhibitIpSec.
5. In the Data Type list, click REG_DWORD, and then click OK.
6. In the Data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer.

Back to the top

How to create an IPSec policy for use with L2TP/IPSec Connections by using a preshared key

Note The following procedure assumes that the ProhibitIpSec registry value is added to both Windows 2000-based Routing and Remote Access endpoint servers, and that the Windows 2000-based Routing and Remote Access endpoint servers have been restarted.

1. Click Start, click Run, type mmc, and then click OK.
2. Click Console, click Add/Remove Snap-in, click Add, click IP Security Policy Management, click Add, click Finish, click Close, and then click OK.
3. Right-click IP Security Policies on Local Machine, click Create IP Security Policy, and then click Next.
4. In the IP Security Policy Name dialog box, type the name for the IP Security policy in the Name box, and then click Next.
5. In the Requests for Secure Communication dialog box, click to clear the Activate the default response rule check box, and then click Next.
6. Click to select the Edit Properties check box, and then click Finish.
7. In the New IP Security Policy Properties dialog box, click Add on the Rules tab, and then click Next.
8. In the Tunnel Endpoint dialog box, click This rule does not specify a tunnel, and then click Next.
9. In the Network Type dialog box, click All network connections, and then click Next.
10. In the Authentication Method dialog box, click Use this string to protect the key exchange (preshared key), type a preshared key, and then click Next.
11. In the IP Filter List dialog box, click Add, type a name for the IP filter list in the Name box, click Add, and then click Next.
12. In the IP Traffic Source dialog box, click A specific IP Address in the Source address box, type the Transport Control Protocol/Internet Protocol (TCP/IP) address of the source Windows 2000-based Routing and Remote Access server in the IP Address box, and then click Next.
    
    Note The source address that is used on each Windows 2000-based Routing and Remote Access endpoint server must match. For example, if the source address is 1.1.1.1, you must use 1.1.1.1 as a source address on both Windows 2000-based Routing and Remote Access endpoint servers.
13. In the IP Traffic Destination dialog box, click A specific IP Address in the Destination address box, type the TCP/IP address of the destination Windows 2000-based Routing and Remote Access server, and then click Next.
    
    Note The destination address that is used on each Windows 2000-based Routing and Remote Access endpoint server must match. For example, if the destination address is 2.2.2.2, you must use 2.2.2.2 as a destination address on both Windows 2000-based Routing and Remote Access endpoint servers.
14. In the IP Protocol Type dialog box, click UDP in the Select a protocol type box, and then click Next.
15. In the IP Protocol Port dialog box, click From this port, type 1701 in the From this port box, click To any port, and then click Next.
16. Click to select the Edit properties check box, click Finish, and then click to select the Mirrored. Also match packets with the exact opposite source and destination addresses check box in the Filter Properties dialog box.
17. Click OK, and then click Close.
18. In the IP Filter List dialog box, click the IP filter that you just created, and then click Next.
19. In the Filter Action dialog box, click Add, and then create a new filter action that specifies which integrity and encryption algorithms will be used.
    
    Note This new filter action must have the "Accept unsecured communication, but always respond using IPSec" feature disabled to improve security.
20. Click Next, click Finish, and then click Close.
21. Right-click the IPSec policy that you just created, and then click Assign.

Note You must configure both Windows 2000-based Routing and Remote Access endpoint servers the same way. The IPSec filter is viewed from one side of the connection when it is set up on the first Windows 2000-based Routing and Remote Access endpoint server, and then a replica of the IPSec filter is created on the second Windows 2000-based Routing and Remote Access endpoint server. Based on the example that is described earlier in this article, if the first Windows 2000-based Routing and Remote Access endpoint server has a TCP/IP address of 1.1.1.1, and the second Windows 2000-based Routing and Remote Access endpoint server has a TCP/IP address of 2.2.2.2, a filter would be created within the IPSec policy on both Windows 2000-based Routing and Remote Access endpoint servers with a source address of 1.1.1.1, and a destination address of 2.2.2.2. This permits either Windows 2000-based Routing and Remote Access endpoint server to initiate the connection.Back to the top

How to configure an IPSec policy to accept connections by using multiple preshared keys or CAs

After a policy is created with a filter by using a preshared Key, you must create an additional rule within the IPSec policy for other connections that require different preshared keys or CAs.

For additional information about automatic filters that are created by Windows 2000 that use CAs, click the following article number to view the article in the Microsoft Knowledge Base:248750  (http://support.microsoft.com/kb/248750/ ) Description of the automatic filter created for use with L2TP/IPSec 253498  (http://support.microsoft.com/kb/253498/ ) How to install a certificate for use with IP Security

Microsoft does not support preshared keys for L2TP/IPSec VPN or remote clients for the following reasons:

• It subjects a secure protocol to a well-known nonsecure usage problem, selecting passwords. Published attacks have been shown to reveal weak preshared keys.
• It is not securely deployable. Because access to the company gateway is required by the user who is configuring a preshared key, many users will know this, and it becomes a "group preshared key." A long preshared key would almost definitely have to be written down. Individual computer access could not be revoked until the whole group had switched to a new preshared key.
• As Microsoft has documented in Help, resource kit chapters, and in Microsoft Knowledge Base article number 248711, the Windows 2000 IPSec preshared key is provided only for RFC compliance, for interoperability testing, and interoperability where security is not a concern. The preshared key is stored in the local registry which only local administrators have read access to, but local administrators have to know it and set it. Therefore, any local administrator can see it in the future or change it.
• The support cost of using a preshared key both for customers and for Microsoft would be high.
• Getting a Windows 2000-based computer certificates can be as easy as a Web page request, or even easier by using Windows 2000 Group Policy autoenrollment when the Windows 2000-based client is a member of a Windows 2000 domain. This is generally the most secure method for deploying IPSec-based VPN.

Microsoft does support VPN L2TP/IPSec tunnels gateway-to-gateway with a preshared key because it must be configured locally on that gateway by a very knowledgeable gateway administrator on a per-static IP adddress basis. IPSec tunnels are only supported where static IP addresses are used, and for address-based policy selectors only, not port and protocol. We recommend that you use L2TP/IPSec for gateway-to-gateway. Use IPSec tunnel mode for gateway-to-gateway only if L2TP/IPSec is not an option.