Disabling IPSEC Policy Used with L2TP

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry


The RemoteAccess and PolicyAgent services create a policy that is used for L2TP traffic because L2TP does not provide encryption. Under some conditions, it may be useful to disable this policy.

Possible Reasons for Disabling this Automatic Policy

  • Configuring L2TP to use pre-shared keys. Certificates are recommended, but pre-shared keys are available for interoperability.For additional information about how to do so, click the article number below to view the article in the Microsoft Knowledge Base:

    240262 How to Configure a L2TP/IPSec Connection Using a Pre-shared Key
  • Troubleshooting L2TP/IPSec connections. When this policy is disabled and no domain or local machine policies are assigned, L2TP connections will be attempted without IPSEC (UDP 1701 packets). If the policy has been disabled on both client and server, it is possible to create an L2TP tunnel without IPSEC.

    WARNING: Disabling IPSEC for L2TP connections is a severe limitation in security and is recommended only for troubleshooting.

  • You receive the error message:

    Event ID: 20171
    Source: Remote Access
    Descritpion: Failed to apply IP Security on port VPNx-x because of error: The RPC server is unavailable. No calls will be accepted to this port.

More Information

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of a L2TP/IPSec connection to prevent the automatic filter for L2TP/IPSec traffic from being created. When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSEC policy. To add the ProhibitIpSec registry value to your Windows 2000-based computer, use Registry Editor (Regedt32.exe) to locate the following key in the registry:

Add the following registry value to this key:

Value Name: ProhibitIpSec
Data Type: REG_DWORD
Value: 1

Note that you must restart your Windows 2000-based computer for the changes to take effect.

Artikelnummer: 258261 – Letzte Überarbeitung: 28.02.2007 – Revision: 1