Microsoft KB Archive/258261

= Disabling IPSEC Policy Used with L2TP =

Article ID: 258261

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q258261



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
The RemoteAccess and PolicyAgent services create a policy that is used for L2TP traffic because L2TP does not provide encryption. Under some conditions, it may be useful to disable this policy.

Possible Reasons for Disabling this Automatic Policy
 Configuring L2TP to use pre-shared keys. Certificates are recommended, but pre-shared keys are available for interoperability.For additional information about how to do so, click the article number below to view the article in the Microsoft Knowledge Base:

240262 How to Configure a L2TP/IPSec Connection Using a Pre-shared Key

 Troubleshooting L2TP/IPSec connections. When this policy is disabled and no domain or local machine policies are assigned, L2TP connections will be attempted without IPSEC (UDP 1701 packets). If the policy has been disabled on both client and server, it is possible to create an L2TP tunnel without IPSEC.

WARNING: Disabling IPSEC for L2TP connections is a severe limitation in security and is recommended only for troubleshooting.

 You receive the error message:

Event ID: 20171

Source: Remote Access

Descritpion: Failed to apply IP Security on port VPNx-x because of error: The RPC server is unavailable. No calls will be accepted to this port.





MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of a L2TP/IPSec connection to prevent the automatic filter for L2TP/IPSec traffic from being created. When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSEC policy. To add the ProhibitIpSec registry value to your Windows 2000-based computer, use Registry Editor (Regedt32.exe) to locate the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

Add the following registry value to this key:

Value Name: ProhibitIpSec

Data Type: REG_DWORD

Value: 1

Note that you must restart your Windows 2000-based computer for the changes to take effect.

Additional query words: preshared keys l2tp

Keywords: kbinfo KB258261

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.