How to disable the automatic L2TP/IPsec policy in Windows 2000 Server

This step-by-step article describes how to disable the automatic Layer Two Tunneling Protocol (L2TP)/Internet Protocol security (IPsec) policy.

The Microsoft Windows 2000 Routing and Remote Access service supports the L2TP/IPsec protocol. The Microsoft implementation of L2TP/IPsec is fully compliant with Request for Comments (RFC) standards. The implementation provides the highest level of security for virtual private network (VPN) connections. Currently, only Windows 2000, Microsoft Windows XP, and selected third-party operating systems support the L2TP/IPsec VPN client computer role.

Windows 2000 automatically creates an IPsec policy if an L2TP/IPsec VPN link is established. The IPsec policy requires that you install computer certificates on both the Routing and Remote Access VPN server and the VPN client. You can obtain certificates from a Microsoft Certificate server or from a third-party provider.

If you are a security administrator, you may want to disable the default automatic L2TP/IPsec policy because an established Public Key Infrastructure (PKI) is not present. You may also want to disable the automatic IPsec policy for testing purposes. You can establish pure L2TP tunnels if you disable the policy. However, these tunnels are not secure because IPsec is responsible for tunnel security.

You can use a preshared key to create gateway-to-gateway VPN links after you disable the automatic L2TP/IPsec policy. We recommend that you use a preshared key only for testing. Microsoft does not support using preshared keys in production environments.

For additional information about how to use a preshared key to configure an IPsec policy, click the following article number to view the article in the Microsoft Knowledge Base:

How to disable the automatic L2TP/IPsec policy

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of a L2TP/IPsec connection. This registry value prevents the automatic filter for L2TP/IPsec traffic from being created. When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses certification authority (CA) authentication. Instead, the computer checks for a local or Active Directory directory service IPsec policy.

To add the ProhibitIpSec registry value, follow these steps:

1. Start Registry Editor.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
3. On the Edit menu, click Add Value.
4. Type prohibitipsec in the Value Name box, click REG_DWORD in the Data Type box, and then click OK.
5. Type 1 in the Data box, and then click OK.
6. Quit Registry Editor, and then restart the computer.

Troubleshooting

If you set the ProhibitIpSec value to 1, the Routing and Remote Access VPN server does not create a filter to use certificates for IPsec authentication. The Routing and Remote Access VPN server uses either a local IPsec policy or an Active Directory IPsec policy. You can configure IPsec policies on the local Routing and Remote Access VPN server, or you can use Group Policy to push the IPsec policies to Routing and Remote Access VPN servers.

When this policy is disabled and when no domain or local policies are assigned, L2TP connections will be tried without IPsec (UDP 1701 packets). If the policy has been disabled on both the client and the server, you can create an L2TP tunnel without IPsec.

WARNING If you disable IPsec for L2TP connections, you will create a severe limitation in security. This configuration is recommended only for troubleshooting.