Windows automatically creates an IP Security Protocol (IPSec) policy for use with Layer 2 Tunneling Protocol (L2TP)/IPSec connections. This IPSec policy uses local computer certificates for mutual authentication.
L2TP Server Policy Creation
The IPSec policy is automatically created by the Routing and Remote Access Services (RRAS) server, which includes the policy in the IPSec Policy agent when it starts during boot. If the Policy agent is stopped or restarted, the L2TP IPSec policy is lost. If RRAS is started while Policy agent is stopped, this policy creation does not succeed. Therefore, if Policy agent needs to be restarted or is already stopped, you must stop and start Policy agent and then stop and start RRAS for the policy to be properly created.
The L2TP server filters created are in the form of "Me to Any", "Source port: Any", and "Destination port: UDP 1701", where 'Me' represents the IP address(es) bound to the server computer.
L2TP Client Policy Creation
On the client, the filters are included in the Policy agent when the L2TP connection is attempted by using a connection in Network and Dial-up Connections or by using a dial-on-demand (DOD) interface in the RRAS management console. These filters are created with the following format: "Me to Server", "Source port: UDP 1701", and "Destination port: Any", where 'Server' represents the IP address the client was configured to connect to. These filters remain for the lifetime of the L2TP connection and are deleted when the connection is terminated.
Viewing the Automatic Policy
The policy is not viewable within the IP Security Policies snap-in, and is not configurable. However, you can view the policy itself by using the Netdiag tool after Policy agent and RRAS startup; also, after a connection is made, you can use Ipsecmon to view the policy/security associations that the two computers have agreed upon.
After a connection has been made, you can use the Ipsecmon utility to view the policies that are in effect. For example, you may see items similar to the following sample output for a default L2TP/IPSec connection (client-to-server or server-to-server):
Policy name: L2TP Rule
Security: ESP DES/CBC HMAC MD5
Filter name: No Name - Mirror
Source address: IP address or name of computer
Dest. address: IP address or name of computer
Src. port: 1701
Dest. port: 0
Tunnel endpoint: <none>
To view the policy without an active connection, view the IPSec policy while it is in effect by using the Netdiag tool. The command to view the currently active IPSec policy is:
netdiag /test:ipsec /debug
The Netdiag tool is available after installing the Windows Support Tools package. This package is located in the Support\Tools folder on the Windows CD-ROM. After you install this package, Netdiag is located in the Program Files\Support Tools folder.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
How to configure a L2TP/IPSec connection using pre-shared key authentication