Virtual Private Networking

Previous Topic Next Topic

Pre-shared Key Authentication for L2TP over IPSec Router-to-Router VPN Connections

By default, both the L2TP client and L2TP server for Windows 2000 are pre-configured for certificate-based IPSec authentication. When you make an L2TP over IPSec connection, an IPSec policy is automatically created to specify that the Internet Key Exchange (IKE) will use certificate-based authentication during the negotiation of security settings for L2TP. This means that both the L2TP client and L2TP server must have a computer certificate (also known as a machine certificate) installed before a successful L2TP over IPSec connection can be established. Both computer certificates must either be from the same certificate authority (CA), or the root certificate of each computer's CA must be installed as a trusted root certificate authority in each other's trusted root certificate store. For more information about IPSec, see "Internet Protocol Security" in the TCP/IP Core Networking Guide.

In some cases, a certificate-based IPSec authentication method is not desired for L2TP-based router-to-router VPN connections. For example, if you have a small organization and do not want to deploy a certificate infrastructure, or you are connecting to routers that do not support certificate-based IPSec authentication. In these cases, you can manually configure IPSec policy to use pre-shared keys when creating router-to-router VPN connections. This pre-shared authentication key acts like a simple password in the IKE negotiation, if both sides can prove they know the same password, then they trust each other and will continue to negotiate private, symmetric encryption keys, and specific security settings for L2TP traffic.

Using an IKE pre-shared key is generally considered not as secure as using certificates because the IKE authentication (and implicit trust) is dependent on the key value only, which is stored in plain text format in the IPSec policy. Anyone who views the policy can see the pre-shared key value. If a malicious user views the pre-shared key, then they could configure their system to successfully establish IPSec security with your system. However, the L2TP connection requires user level authentication using a PPP authentication protocol. Therefore, a malicious user would have to know both the pre-shared key and the proper user credentials to successfully establish the L2TP over IPSec connection.

To perform pre-shared key authentication for L2TP over IPSec router-to-router VPN connections, you must change a registry setting and then configure IPSec policy settings.

To prevent the Routing and Remote Access service from automatically creating an IPSec policy for L2TP traffic, set the value of ProhibitIpSec to 1 (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan \Parameters). By default, ProhibitIpSec is set to 0. When ProhibitIpSec is set to 1, the encryption settings on the demand-dial interface configured on the calling router are ignored in favor of the encryption settings of the manually configured IPSec policy. The computer must be restarted for the changes to this registry setting to take effect.

Where you configure the IPSec settings depends on the following:

Before creating IPSec policy, you must decide whether all sites being connected will use the same pre-shared key or whether each connection will use a separate pre-shared key. This decision impacts how IPSec filter lists and policy are configured.

The same pre-shared key may be used when one administrator or company controls both L2TP tunnel endpoints.

Different pre-shared keys may be used when configuring L2TP tunnels between systems that are not under the same administrative or corporate security control. For example, one Windows 2000 VPN server may be configured to communicate to six different business partners, each of which need a different IKE pre-shared key for L2TP connections.

For example purposes, the following sections discuss the IPSec configuration required for a router that is using L2TP over IPSec pre-shared key authentication for router-to-router VPN connections between a corporate hub office in New York and two branch offices; one in Boston and one in London.


note-icon

Note

If you have a Windows 2000 VPN server that is communicating to other L2TP clients or servers using the default certificate-based IPSec authentication, and you want to use IPSec pre-shared key authentication for one L2TP/IPSec tunnel, then you must include rules to use certificate authentication for those systems already using it, as well as a rule for pre-shared key authentication in the same IPSec policy.

Same Pre-shared Key for All Connections

To use the same pre-shared key for all L2TP over IPSec router-to-router VPN connections, configure the following:

  1. Using the Routing and Remote Access snap-in, create the appropriate demand-dial interfaces. In our example, create a demand-dial interface for the connection to the Boston branch office and a demand-dial interface to the London branch office.
  2. Using the IP Security Policies snap-in, create an IPSec filter action that does not allow unsecured L2TP communication.
  3. Create one IPSec filter list that contains filters for all the L2TP over IPSec connections using the same IKE pre-shared authentication key value. Each filter within the filter list is for a specific location. Using our example, you would configure a filter list with two filters, one filter defining the L2TP traffic to the Boston router and one filter defining the L2TP traffic to the London router.
  4. Create a new IPSec policy that uses a single active rule; a rule that uses the filter action that does not allow unsecured L2TP communication, the filter list for all the L2TP over IPSec connections, and a pre-shared key as the authentication method.

Creating the Filter Action

To create a filter action that does not permit unsecured L2TP communication, create a filter action with the following properties:

The example discussed here use the same encryption strength for all destinations. However, you may need to create filter actions specific to a destination, depending on the IPSec security capabilities of the remote system. For example, a filter action for Boston may require only 3DES encryption, whereas a filter action for London may require only DES due to cryptography export restrictions. To handle both 3DES and DES in the same filter action, include them both in the filter action security method list, putting 3DES first to make sure it is selected first when possible.

Creating the Filter List for the Same Pre-shared Key for all Connections

To configure a filter list that contains all L2TP-based router-to-router VPN connections, create a filter list with the following properties:

Then, for each destination, create a filter within the filter list with the following configuration:

Configuring an IPSec Policy for the Same Pre-shared Key

To configure an IPSec policy that uses the same pre-shared key for all L2TP-based router-to-router VPN connections, create an IPSec policy with the following properties:

Add a rule with the following properties:

Because the filter list contains all of the destinations for L2TP-based router-to-router VPN connections, only a single rule within the IPSec policy is required.

Different Pre-shared Keys for Different Connections

To use different pre-shared keys for all L2TP over IPSec router-to-router VPN connections, configure the following:

  1. Create the appropriate demand-dial interfaces. In our example, create a demand-dial interface for the connection to the Boston branch office and a demand-dial interface to the London branch office.
  2. Create a filter action that does not allow unsecured L2TP communication.
  3. Create an IPSec filter list that contains a single filter for the L2TP over IPSec connection to a specific location. Using our example, configure a filter list with one filter defining the L2TP traffic to the Boston router. Then, configure another filter list with one filter defining the L2TP traffic to the London router.
  4. Create a new IPSec policy that uses a series of rules; each rule uses the filter action that does not allow unsecured L2TP communication, the filter list for a specific L2TP over IPSec connection, and the pre-shared key for the specific connection as the authentication method.

Creating the Filter Action

The configuration of the filter action for the different pre-shared key for different connections is the same as the filter action for the same pre-shared key for all connections.

Creating the Filter List for a Different Pre-shared Key for all Connections

To configure a filter list for a specific router-to-router VPN connection, create a filter list with the following properties (using the connection to Boston as an example):

Then, create a single filter with the following configuration:

Repeat this procedure for each L2TP over IPSec router-to-router VPN connection. Using our example, configure another IPSec filter list for the connection to the London router.

Configuring an IPSec Policy for a Different Pre-shared Key for Each Connection

To configure an IPSec policy that uses a different pre-shared key for each L2TP router-to-router VPN connection, create an IPSec policy with the following properties:

For each L2TP router-to-router VPN connection, add a rule with the following properties (using the connection to Boston as an example):

Add a separate rule for each L2TP over IPSec router-to-router VPN connection. Using our example, add another rule for the connection to the London router.


note-icon

Note

For an incoming L2TP over IPSec connection, the Routing and Remote Access service queries IPSec to discover the type of encryption that was negotiated. The query is for the encryption used for an IPSec security association (SA) for IP traffic to UDP port 1701. If an IPSec SA exists for IP traffic to UDP port 1701, the type of encryption used for the IPSec SA is returned. When ProhibitIpSec is set to 0, an IPSec SA is always found for this type of traffic because L2TP traffic filters are automatically created by the Routing and Remote Access service. The encryption type is then compared to the types of encryption allowed by the profile settings of the matching remote access policy for the L2TP connection. If the encryption type returned from the IPSec query does not match the allowed encryption strengths in the remote access policy profile, the connection attempt is rejected. If ProhibitIpSec is set to 1 and a specific filter for UDP port 1701 is not configured, the query fails to find an SA for IP traffic to UDP port 1701 and no encryption is assumed. This can cause the connection attempt to be rejected if the encryption setting on the matching remote access policy profile has the No encryption setting disabled. Therefore, the disconnection of encrypted L2TP over IPSec connections can occur when an IPSec filter exists that uses pre-shared key for all IP traffic and a specific filter for UDP port 1701 is not configured.

Using IPSecPol to Create the IPSec Policy

IPSec policy for pre-shared key L2TP over IPSec connections can also be configured using the IPSecPol Resource Kit tool. For more information, see the Windows 2000 Resource Kit Tools Help.

© 1985-2000 Microsoft Corporation. All rights reserved.