How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication

ID: Q240262

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

Windows 2000 automatically creates an Internet Protocol Security (IPSec) policy to be used with Layer 2 Tunneling Protocol (L2TP)/IPSec connections that implements a filter using the Certificate Authority (CA) authentication method. To implement the Pre-shared Key authentication method for use with a L2TP/IPSec connection:

  • You must add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers.


  • You must manually configure an IPSec policy before a L2TP/IPSec connection can be established between two Windows 2000-based computers.


This article describes how to configure two Windows 2000-based Routing and Remote Access Service (RRAS) servers that are connected over a Local Area Network (LAN) to use a L2TP/IPSec connection with Pre-shared Key authentication. Also included is information about how to configure an IPSec policy to accept connections using multiple Pre-shared Keys or CAs.


MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

You must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of a L2TP/IPSec connection to prevent the automatic filter for L2TP/IPSec traffic from being created. When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSec policy. To add the ProhibitIpSec registry value to your Windows 2000-based computer, use Registry Editor (Regedt32.exe) to locate the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
Add the following registry value to this key:

Value Name: ProhibitIpSec
Data Type: REG_DWORD
Value: 1

Note that you must restart your Windows 2000-based computer for the changes to take effect.

How to Create an IPSec Policy for Use with L2TP/IPSec Connections Using a Pre-shared Key

NOTE: The following procedure assumes the ProhibitIpSec registry value described earlier in this article has already been added to both Windows 2000-based RRAS endpoint servers, and that the Windows 2000-based RRAS endpoint servers have been restarted.
  1. Click Start, click Run, type mmc, and then click OK.


  2. Click Console, click Add/Remove Snap-in, click Add, click IP Security Policy Management, click Finish, click Close, and then click OK.


  3. Right-click IP Security Policies on Local Machine, click Create IP Security Policy, and then click Next.


  4. In the IP Security Policy Name dialog box, type the name for the IP Security policy in the Name box, and then click Next.


  5. In the Requests for Secure Communication dialog box, click to clear the Activate the default response rule check box, and then click Next.


  6. Click to select the Edit Properties check box, and then click Finish.


  7. In the New IP Security Policy Properties dialog box, on the Rules tab, click Add, and then click Next.


  8. In the Tunnel Endpoint dialog box, click This rule does not specify a tunnel, and then click Next.


  9. In the Network Type dialog box, click All network connections, and then click Next.


  10. In the Authentication Method dialog box, click Use this string to protect the key exchange (pre-shared key), type a pre-shared key, and then click Next.


  11. In the IP Filter List dialog box, click Add, type a name for the IP filter list in the Name box, click Add, and then click Next.


  12. In the IP Traffic Source dialog box, click A specific IP Address in the Source address box, type the Transport Control Protocol/Internet Protocol (TCP/IP) address of the source Windows 2000-based RRAS server in the IP Address box, and then click Next.

    NOTE: The source address used on each Windows 2000-based RRAS endpoint server must match. For example, if the source address is 1.1.1.1, you must use 1.1.1.1 as a source address on both Windows 2000-based RRAS endpoint servers.


  13. In the IP Traffic Destination dialog box, click A specific IP Address in the Destination address box, type the TCP/IP address of the destination Windows 2000-based RRAS server, and then click Next.

    NOTE: The destination address used on each Windows 2000-based RRAS endpoint server must match. For example, if the destination address is 2.2.2.2, you must use 2.2.2.2 as a destination address on both Windows 2000-based RRAS endpoint servers.


  14. In the IP Protocol Type dialog box, click UDP in the Select a protocol type box, and then click Next.


  15. In the IP Protocol Port dialog box, click From this port, type 1701 in the From this port box, click To any port, and then click Next.


  16. Click to select the Edit properties check box, click Finish, click to select the Mirrored. Also match packets with the exact opposite source and destination addresses check box in the Filter Properties dialog box, click OK, and then click Close.


  17. In the IP Filter List dialog box, click the IP filter you just created, and then click Next.


  18. In the Filter Action dialog box, click Require Security.

    NOTE: If a lockdown filter action is needed, click Edit, click to clear the Accept unsecured communication, but always respond using IPSec check box, and then click OK.


  19. Click Next, click Finish, and then click Close.


  20. Right-click the IPSec policy you just created, and then click Assign.


NOTE: You must configure both Windows 2000-based RRAS endpoint servers the exact same way. The IPSec filter is viewed from one side of the connection when it is set up on the first Windows 2000-based RRAS endpoint server, and then a replica of the IPSec filter is created on the second Windows 2000-based RRAS endpoint server. Based on the example described earlier in this article, if the first Windows 2000-based RRAS endpoint server has a TCP/IP address of 1.1.1.1, and the second Windows 2000-based RRAS endpoint server has a TCP/IP address of 2.2.2.2, a filter would be created within the IPSec policy on both Windows 2000-based RRAS endpoint servers with a source address of 1.1.1.1, and a destination address of 2.2.2.2. This permits either Windows 2000-based RRAS endpoint server to initiate the connection.

How to Configure an IPSec Policy to Accept Connections Using Multiple Pre-shared Keys or CAs

After a policy is created with a filter using a Pre-shared Key, it is necessary to create an additional rule within the IPSec policy for other connections requiring different Pre-shared Keys or CAs.

Additional query words: secret

Keywords : kbenv kbnetwork kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: January 12, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.