Microsoft KB Archive/240262

= How to configure an L2TP/IPSec connection by using Preshared Key Authentication =

Article ID: 240262

Article Last Modified on 10/12/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q240262



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



INTRODUCTION
Microsoft Windows 2000 automatically creates an Internet Protocol Security (IPSec) policy that is used with Layer 2 Tunneling Protocol (L2TP)/IPSec connections that require a certificate for Internet Key Exchange (IKE) authentication. Microsoft supports L2TP/IPSec gateway-to-gateway virtual private network (VPN) implementations by using a preshare key for IKE authentication. However, Microsoft does not support using a pre-share key for IKE authentication on remote access L2TP/IPSec client connections. Windows 2000 is compliant with IKE RFC 2409 and lets you implement a pre-share key for IKE authentication on remote access L2TP/IPSec client connections. However, we recommend that you use this implementation for testing only.

To implement the preshared Key authentication method for use with a L2TP/IPSec connection:
 * You must add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers.
 * You must manually configure an IPSec policy before an L2TP/IPSec connection can be established between two Windows 2000-based computers.

This article describes how to configure two Windows 2000-based Routing and Remote Access Service servers that are connected over a Local Area Network (LAN) to use an L2TP/IPSec connection with preshared Key authentication. Also included is information about how to configure an IPSec policy to accept connections by using multiple preshared Keys or CAs.



MORE INFORMATION
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To configure two Windows 2000-based Routing and Remote Access Service servers that are connected over a LAN to use an L2TP/IPSec connection with preshared Key authentication, you must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of an L2TP/IPSec connection to prevent the automatic filter for L2TP/IPSec traffic from being created.

When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSec policy.

To add the ProhibitIpSec registry value to your Windows 2000-based computer, follow these steps:  Click Start, click Run, type regedt32, and then click OK. Locate, and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

 On the Edit menu, click Add Value. In the Value Name box, type ProhibitIpSec . In the Data Type list, click REG_DWORD, and then click OK. In the Data box, type 1, and then click OK.</li> Quit Registry Editor, and then restart your computer.</li></ol>

How to create an IPSec policy for use with L2TP/IPSec Connections by using a preshared key
Note The following procedure assumes that the ProhibitIpSec registry value is added to both Windows 2000-based Routing and Remote Access endpoint servers, and that the Windows 2000-based Routing and Remote Access endpoint servers have been restarted.
 * 1) Click Start, click Run, type mmc, and then click OK.
 * 2) Click Console, click Add/Remove Snap-in, click Add, click IP Security Policy Management, click Add, click Finish, click Close, and then click OK.
 * 3) Right-click IP Security Policies on Local Machine, click Create IP Security Policy, and then click Next.
 * 4) In the IP Security Policy Name dialog box, type the name for the IP Security policy in the Name box, and then click Next.
 * 5) In the Requests for Secure Communication dialog box, click to clear the Activate the default response rule check box, and then click Next.
 * 6) Click to select the Edit Properties check box, and then click Finish.
 * 7) In the New IP Security Policy Properties dialog box, click Add on the Rules tab, and then click Next.
 * 8) In the Tunnel Endpoint dialog box, click This rule does not specify a tunnel, and then click Next.
 * 9) In the Network Type dialog box, click All network connections, and then click Next.
 * 10) In the Authentication Method dialog box, click Use this string to protect the key exchange (preshared key), type a preshared key, and then click Next.
 * 11) In the IP Filter List dialog box, click Add, type a name for the IP filter list in the Name box, click Add, and then click Next.
 * 12) In the IP Traffic Source dialog box, click A specific IP Address in the Source address box, type the Transport Control Protocol/Internet Protocol (TCP/IP) address of the source Windows 2000-based Routing and Remote Access server in the IP Address box, and then click Next.

Note The source address that is used on each Windows 2000-based Routing and Remote Access endpoint server must match. For example, if the source address is 1.1.1.1, you must use 1.1.1.1 as a source address on both Windows 2000-based Routing and Remote Access endpoint servers.
 * 1) In the IP Traffic Destination dialog box, click A specific IP Address in the Destination address box, type the TCP/IP address of the destination Windows 2000-based Routing and Remote Access server, and then click Next.

Note The destination address that is used on each Windows 2000-based Routing and Remote Access endpoint server must match. For example, if the destination address is 2.2.2.2, you must use 2.2.2.2 as a destination address on both Windows 2000-based Routing and Remote Access endpoint servers.
 * 1) In the IP Protocol Type dialog box, click UDP in the Select a protocol type box, and then click Next.
 * 2) In the IP Protocol Port dialog box, click From this port, type 1701 in the From this port box, click To any port, and then click Next.
 * 3) Click to select the Edit properties check box, click Finish, and then click to select the Mirrored. Also match packets with the exact opposite source and destination addresses check box in the Filter Properties dialog box.
 * 4) Click OK, and then click Close.
 * 5) In the IP Filter List dialog box, click the IP filter that you just created, and then click Next.
 * 6) In the Filter Action dialog box, click Add, and then create a new filter action that specifies which integrity and encryption algorithms will be used.

Note This new filter action must have the "Accept unsecured communication, but always respond using IPSec" feature disabled to improve security.
 * 1) Click Next, click Finish, and then click Close.
 * 2) Right-click the IPSec policy that you just created, and then click Assign.

Note You must configure both Windows 2000-based Routing and Remote Access endpoint servers the same way. The IPSec filter is viewed from one side of the connection when it is set up on the first Windows 2000-based Routing and Remote Access endpoint server, and then a replica of the IPSec filter is created on the second Windows 2000-based Routing and Remote Access endpoint server. Based on the example that is described earlier in this article, if the first Windows 2000-based Routing and Remote Access endpoint server has a TCP/IP address of 1.1.1.1, and the second Windows 2000-based Routing and Remote Access endpoint server has a TCP/IP address of 2.2.2.2, a filter would be created within the IPSec policy on both Windows 2000-based Routing and Remote Access endpoint servers with a source address of 1.1.1.1, and a destination address of 2.2.2.2. This permits either Windows 2000-based Routing and Remote Access endpoint server to initiate the connection.

How to configure an IPSec policy to accept connections by using multiple preshared keys or CAs
After a policy is created with a filter by using a preshared Key, you must create an additional rule within the IPSec policy for other connections that require different preshared keys or CAs.

For additional information about automatic filters that are created by Windows 2000 that use CAs, click the following article number to view the article in the Microsoft Knowledge Base:

248750 Description of the automatic filter created for use with L2TP/IPSec

253498 How to install a certificate for use with IP Security

Microsoft does not support preshared keys for L2TP/IPSec VPN or remote clients for the following reasons:
 * It subjects a secure protocol to a well-known nonsecure usage problem, selecting passwords. Published attacks have been shown to reveal weak preshared keys.
 * It is not securely deployable. Because access to the company gateway is required by the user who is configuring a preshared key, many users will know this, and it becomes a "group preshared key." A long preshared key would almost definitely have to be written down. Individual computer access could not be revoked until the whole group had switched to a new preshared key.
 * As Microsoft has documented in Help, resource kit chapters, and in Microsoft Knowledge Base article number 248711, the Windows 2000 IPSec preshared key is provided only for RFC compliance, for interoperability testing, and interoperability where security is not a concern. The preshared key is stored in the local registry which only local administrators have read access to, but local administrators have to know it and set it. Therefore, any local administrator can see it in the future or change it.
 * The support cost of using a preshared key both for customers and for Microsoft would be high.
 * Getting a Windows 2000-based computer certificates can be as easy as a Web page request, or even easier by using Windows 2000 Group Policy autoenrollment when the Windows 2000-based client is a member of a Windows 2000 domain. This is generally the most secure method for deploying IPSec-based VPN.

Microsoft does support VPN L2TP/IPSec tunnels gateway-to-gateway with a preshared key because it must be configured locally on that gateway by a very knowledgeable gateway administrator on a per-static IP adddress basis. IPSec tunnels are only supported where static IP addresses are used, and for address-based policy selectors only, not port and protocol. We recommend that you use L2TP/IPSec for gateway-to-gateway. Use IPSec tunnel mode for gateway-to-gateway only if L2TP/IPSec is not an option.

Additional query words: secret

Keywords: kbenv kbhowto kbnetwork KB240262

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.