Possible Reasons for Disabling this Automatic Policy
- Configuring L2TP to use pre-shared keys. Certificates are recommended, but pre-shared keys are available for interoperability.For additional information about how to do so, click the article number below to view the article in the Microsoft Knowledge Base:240262 How to Configure a L2TP/IPSec Connection Using a Pre-shared Key
- Troubleshooting L2TP/IPSec connections. When this policy is disabled and no domain or local machine policies are assigned, L2TP connections will be attempted without IPSEC (UDP 1701 packets). If the policy has been disabled on both client and server, it is possible to create an L2TP tunnel without IPSEC.
WARNING: Disabling IPSEC for L2TP connections is a severe limitation in security and is recommended only for troubleshooting.
- You receive the error message:Event ID: 20171
Source: Remote Access
Descritpion: Failed to apply IP Security on port VPNx-x because of error: The RPC server is unavailable. No calls will be accepted to this port.
You must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of a L2TP/IPSec connection to prevent the automatic filter for L2TP/IPSec traffic from being created. When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSEC policy. To add the ProhibitIpSec registry value to your Windows 2000-based computer, use Registry Editor (Regedt32.exe) to locate the following key in the registry:
Value Name: ProhibitIpSec
Data Type: REG_DWORD
Note that you must restart your Windows 2000-based computer for the changes to take effect.
Artikelnummer: 258261 – Letzte Überarbeitung: 28.02.2007 – Revision: 1