Article ID: 314831 - View products that this article applies to.
This article was previously published under Q314831
For a Microsoft Windows 2000 version of this article, see 259335
This article provides information to help you troubleshoot Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec) in Windows XP.
L2TP is a standard that allows the transfer of Point to Point Protocol (PPP) traffic between different networks (described in Request for Comments [RFC] #2661). L2TP is combined with IPSec to provide both tunneling and security for Internet Protocol (IP), Internetwork Packet eXchange (IPX), and other protocol packets across any IP network.
L2TP encapsulates original packets inside a PPP frame (performing compression when possible) and inside a User Datagram Protocol (UDP)-type packet assigned to port 1701. Because the UDP packet format is an IP packet, L2TP automatically uses IPSec to secure the tunnel, in accord with the security settings in the user configuration of the L2TP tunnel. The IPSec Internet Key Exchange (IKE) protocol negotiates security for the L2TP tunnel; certificate-based authentication is the default. This authentication process uses computer certificates, not user certificates, to verify that the source and destination computers both trust each other. If IPSec transport security is successfully established, L2TP negotiates the tunnel (including compression and user authentication options) and performs access control that is based on the user identity.
The L2TP/IPSec packet structure looks like the following example. The PPP Payload contains the original IP datagram, and the italicized text represents what is encrypted with IPSec.
|IP header|IPSec ESP header|UDP header|L2TP header|PPP header|PPP Payload|IPSec ESP trailer|IPSec Auth trailer|Microsoft Point-to-Point Encryption Protocol (MPPE), which can be used to secure the PPP payload when the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) or Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is used, is negotiated by Windows when the L2TP peer (client or server) requests it.
MPPE uses the Rivest-Shamir-Adleman (RSA) RC4 stream encryption and either 40-bit, 56-bit, or 128-bit secret keys. MPPE keys are generated from the MS-CHAP and EAP-TLS user-authentication process. The remote access server can be configured to require data encryption. If the remote access client cannot perform the required encryption, the connection attempt is rejected and the following error message (#742) appears:
IPSEC is negotiated before PPP starts; MPPE is negotiated after PPP starts. PPP runs over L2TP using IPSec. During the PPP authentication phase, a user name is sent to the Remote Access Server (RAS) component of the virtual private network (VPN) server by using the configured authentication protocol (MS-CHAP, for example). The RAS server then matches the user name and other call properties to a Remote Access Policy. Each policy has a profile, and RAS compares the conditions of the incoming call with the profile to determine whether to accept the connection request.
The remote computer does not support the required data encryption type.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/314067/ )How to troubleshoot TCP/IP connectivity with Windows XP
(http://support.microsoft.com/kb/257225/ )Basic IPSec troubleshooting in Microsoft Windows 2000 Server