Microsoft KB Archive/248750

= Description of the IPSec policy created for L2TP/IPSec =

Article ID: 248750

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q248750





SUMMARY
Windows automatically creates an IP Security Protocol (IPSec) policy for use with Layer 2 Tunneling Protocol (L2TP)/IPSec connections. This IPSec policy uses local computer certificates for mutual authentication.



L2TP Server Policy Creation
The IPSec policy is automatically created by the Routing and Remote Access Services (RRAS) server, which includes the policy in the IPSec Policy agent when it starts during boot. If the Policy agent is stopped or restarted, the L2TP IPSec policy is lost. If RRAS is started while Policy agent is stopped, this policy creation does not succeed. Therefore, if Policy agent needs to be restarted or is already stopped, you must stop and start Policy agent and then stop and start RRAS for the policy to be properly created.

The L2TP server filters created are in the form of "Me to Any", "Source port: Any", and "Destination port: UDP 1701", where 'Me' represents the IP address(es) bound to the server computer.

L2TP Client Policy Creation
On the client, the filters are included in the Policy agent when the L2TP connection is attempted by using a connection in Network and Dial-up Connections or by using a dial-on-demand (DOD) interface in the RRAS management console. These filters are created with the following format: "Me to Server", "Source port: UDP 1701", and "Destination port: Any", where 'Server' represents the IP address the client was configured to connect to. These filters remain for the lifetime of the L2TP connection and are deleted when the connection is terminated.

Viewing the Automatic Policy
The policy is not viewable within the IP Security Policies snap-in, and is not configurable. However, you can view the policy itself by using the Netdiag tool after Policy agent and RRAS startup; also, after a connection is made, you can use Ipsecmon to view the policy/security associations that the two computers have agreed upon.

Ipsecmon
After a connection has been made, you can use the Ipsecmon utility to view the policies that are in effect. For example, you may see items similar to the following sample output for a default L2TP/IPSec connection (client-to-server or server-to-server):

Policy name: L2TP Rule

Security: ESP DES/CBC HMAC MD5

Filter name: No Name - Mirror

Source address: IP address or name of computer

Dest. address: IP address or name of computer

Protocol: UDP

Src. port: 1701

Dest. port: 0

Tunnel endpoint:

Netdiag
To view the policy without an active connection, view the IPSec policy while it is in effect by using the Netdiag tool. The command to view the currently active IPSec policy is:

netdiag /test:ipsec /debug

The Netdiag tool is available after installing the Windows Support Tools package. This package is located in the Support\Tools folder on the Windows CD-ROM. After you install this package, Netdiag is located in the Program Files\Support Tools folder.

Pre-Shared Keys
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

240262 How to configure a L2TP/IPSec connection using pre-shared key authentication

Additional query words: l2tp ipsec

Keywords: kbinfo kbipsec KB248750

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.