To implement the preshared Key authentication method for use with a L2TP/IPSec connection:
- You must add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers.
- You must manually configure an IPSec policy before an L2TP/IPSec connection can be established between two Windows 2000-based computers.
To configure two Windows 2000-based Routing and Remote Access Service servers that are connected over a LAN to use an L2TP/IPSec connection with preshared Key authentication, you must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of an L2TP/IPSec connection to prevent the automatic filter for L2TP/IPSec traffic from being created.
When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSec policy.
To add the ProhibitIpSec registry value to your Windows 2000-based computer, follow these steps:
- Click Start, click Run, type regedt32, and then click OK.
- Locate, and then click the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
- On the Edit menu, click Add Value.
- In the Value Name box, type ProhibitIpSec.
- In the Data Type list, click REG_DWORD, and then click OK.
- In the Data box, type 1, and then click OK.
- Quit Registry Editor, and then restart your computer.
How to create an IPSec policy for use with L2TP/IPSec Connections by using a preshared keyNote The following procedure assumes that the ProhibitIpSec registry value is added to both Windows 2000-based Routing and Remote Access endpoint servers, and that the Windows 2000-based Routing and Remote Access endpoint servers have been restarted.
- Click Start, click Run, type mmc, and then click OK.
- Click Console, click Add/Remove Snap-in, click Add, click IP Security Policy Management, click Add, click Finish, click Close, and then click OK.
- Right-click IP Security Policies on Local Machine, click Create IP Security Policy, and then click Next.
- In the IP Security Policy Name dialog box, type the name for the IP Security policy in the Name box, and then click Next.
- In the Requests for Secure Communication dialog box, click to clear the Activate the default response rule check box, and then click Next.
- Click to select the Edit Properties check box, and then click Finish.
- In the New IP Security Policy Properties dialog box, click Add on the Rules tab, and then click Next.
- In the Tunnel Endpoint dialog box, click This rule does not specify a tunnel, and then click Next.
- In the Network Type dialog box, click All network connections, and then click Next.
- In the Authentication Method dialog box, click Use this string to protect the key exchange (preshared key), type a preshared key, and then click Next.
- In the IP Filter List dialog box, click Add, type a name for the IP filter list in the Name box, click Add, and then click Next.
- In the IP Traffic Source dialog box, click A specific IP Address in the Source address box, type the Transport Control Protocol/Internet Protocol (TCP/IP) address of the source Windows 2000-based Routing and Remote Access server in the IP Address box, and then click Next.
Note The source address that is used on each Windows 2000-based Routing and Remote Access endpoint server must match. For example, if the source address is 220.127.116.11, you must use 18.104.22.168 as a source address on both Windows 2000-based Routing and Remote Access endpoint servers.
- In the IP Traffic Destination dialog box, click A specific IP Address in the Destination address box, type the TCP/IP address of the destination Windows 2000-based Routing and Remote Access server, and then click Next.
Note The destination address that is used on each Windows 2000-based Routing and Remote Access endpoint server must match. For example, if the destination address is 22.214.171.124, you must use 126.96.36.199 as a destination address on both Windows 2000-based Routing and Remote Access endpoint servers.
- In the IP Protocol Type dialog box, click UDP in the Select a protocol type box, and then click Next.
- In the IP Protocol Port dialog box, click From this port, type 1701 in the From this port box, click To any port, and then click Next.
- Click to select the Edit properties check box, click Finish, and then click to select the Mirrored. Also match packets with the exact opposite source and destination addresses check box in the Filter Properties dialog box.
- Click OK, and then click Close.
- In the IP Filter List dialog box, click the IP filter that you just created, and then click Next.
- In the Filter Action dialog box, click Add, and then create a new filter action that specifies which integrity and encryption algorithms will be used.
Note This new filter action must have the "Accept unsecured communication, but always respond using IPSec" feature disabled to improve security.
- Click Next, click Finish, and then click Close.
- Right-click the IPSec policy that you just created, and then click Assign.
How to configure an IPSec policy to accept connections by using multiple preshared keys or CAsAfter a policy is created with a filter by using a preshared Key, you must create an additional rule within the IPSec policy for other connections that require different preshared keys or CAs.
For additional information about automatic filters that are created by Windows 2000 that use CAs, click the following article number to view the article in the Microsoft Knowledge Base:
Microsoft does not support preshared keys for L2TP/IPSec VPN or remote clients for the following reasons:
- It subjects a secure protocol to a well-known nonsecure usage problem, selecting passwords. Published attacks have been shown to reveal weak preshared keys.
- It is not securely deployable. Because access to the company gateway is required by the user who is configuring a preshared key, many users will know this, and it becomes a "group preshared key." A long preshared key would almost definitely have to be written down. Individual computer access could not be revoked until the whole group had switched to a new preshared key.
- As Microsoft has documented in Help, resource kit chapters, and in Microsoft Knowledge Base article number 248711, the Windows 2000 IPSec preshared key is provided only for RFC compliance, for interoperability testing, and interoperability where security is not a concern. The preshared key is stored in the local registry which only local administrators have read access to, but local administrators have to know it and set it. Therefore, any local administrator can see it in the future or change it.
- The support cost of using a preshared key both for customers and for Microsoft would be high.
- Getting a Windows 2000-based computer certificates can be as easy as a Web page request, or even easier by using Windows 2000 Group Policy autoenrollment when the Windows 2000-based client is a member of a Windows 2000 domain. This is generally the most secure method for deploying IPSec-based VPN.
Article ID: 240262 - Last Review: Dec 16, 2009 - Revision: 1