Article ID: 259335 - View products that this article applies to.
This article was previously published under Q259335
This article contains information that helps troubleshoot Layer Two Tunneling Protocol (L2TP) and Internet Protocol security (IPSec) in Windows.
L2TP is a standard that enables the transfer of Point-to-Point Protocol (PPP) traffic between different networks, as described in Request for Comments (RFC) 2661, "Layer Two Tunneling Protocol L2TP." L2TP is combined with IPSec to provide both tunneling and security for Internet Protocol (IP), Internetwork Packet Exchange (IPX), and other protocol packets across any IP network.
L2TP encapsulates original packets inside a PPP frame and performs compression when it is possible. Additionally, L2TP encapsulates inside a User Datagram Protocol (UDP)-type packet that is assigned to port 1701. Because the UDP packet is a part of the IP transport protocol, L2TP automatically uses IPSec to help secure the tunnel. L2TP does this based on the security settings in the user configuration of the L2TP tunnel. By default, the IPSec Internet Key Exchange (IKE) protocol negotiates security for the L2TP tunnel by using certificate-based authentication. This authentication process uses computer certificates, not user certificates, to verify that source computers and destination computers trust each other. If IPSec transport security is successfully established, L2TP negotiates the tunnel and performs access control based on the user's identity. When L2TP negotiates the tunnel, it negotiates compression and user-authentication options.
The L2TP/IPSec packet structure looks similar to the following example.
Note The PPP payload contains the original IP datagram. Italic text represents what is encrypted with IPSec.
|IP header|IPSec ESP header|UDP header|L2TP header|PPP header|PPP payload|IPSec ESP trailer|IPSec Auth trailer|Microsoft Point-to-Point Encryption Protocol (MPPE) is negotiated by Windows when the L2TP peer (client or server) requests it. MPPE can be used to help secure the PPP payload when Extensible Authentication Protocol Transport Layer Security (EAP-TLS) or Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is used.
MPPE uses the Rivest-Shamir-Adleman (RSA) RC4 stream cipher and 40-bit, 56-bit, or 128-bit secret keys. MPPE keys are generated from the MS-CHAP and EAP-TLS user-authentication processes. The remote access server can be configured to require data encryption. If the remote access client cannot perform the required encryption, the connection attempt is rejected, and you may receive the following error message:
IPSec is negotiated before PPP starts; MPPE is negotiated after PPP starts. PPP runs over L2TP; it uses IPSec to do this. During the PPP authentication phase, a user name is sent to the remote access server component of the virtual private network (VPN) server by using the configured authentication protocol, such as MS-CHAP. The remote access server then matches the user name and other call properties to a remote access policy. Each policy has a profile, and the remote access server compares the conditions of the incoming call with the profile to determine whether to accept the connection request.
The remote computer does not support the required data encryption type.
For more information about VPN, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb742458.aspxFor additional information about IPSec troubleshooting, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/257225/ )Basic IPSec troubleshooting in Microsoft Windows 2000 Server
Article ID: 259335 - Last Review: October 30, 2006 - Revision: 4.4