Site hosted by Angelfire.com: Build your free website today!

How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication

The information in this article applies to:

*       Microsoft Windows 2000 Server

*       Microsoft Windows 2000 Advanced Server

*       Microsoft Windows 2000 Professional

*       Microsoft Windows 2000 Datacenter Server

This article was previously published under Q240262

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

Windows 2000 automatically creates an Internet Protocol Security (IPSec) policy to be used with Layer 2 Tunneling Protocol (L2TP)/IPSec connections that requires a certificate for Internet Key Exchange (IKE) authentication.

Although Microsoft does not support or recommend the use of a preshare key for IKE authentication on remote access L2TP/IPSec client connections (should be used for testing only), Windows 2000 is compliant with IKE RFC 2409 and provides a way to implement it. L2TP/IPSec gateway-to-gateway VPN implementations by using a preshare key for IKE authentication are supported.

To implement the Pre-shared Key authentication method for use with a L2TP/IPSec connection:

*       You must add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers.

*       You must manually configure an IPSec policy before a L2TP/IPSec connection can be established between two Windows 2000-based computers.

This article describes how to configure two Windows 2000-based Routing and Remote Access Service (RRAS) servers that are connected over a Local Area Network (LAN) to use a L2TP/IPSec connection with Pre-shared Key authentication. Also included is information about how to configure an IPSec policy to accept connections using multiple Pre-shared Keys or CAs.

The reasons Microsoft does not support preshared key for L2TP/IPSec VPN clients are:

*       It subjects a secure protocol to a well-known insecure usage problem (choosing passwords) - published attacks have been shown to expose weak preshared keys.

*       It is not securely deployable. Because access to the company gateway is required by the user that is configuring a preshared key, many users will know this, and it becomes a "group preshared key". A long preshared key would almost certainly need to be written down. Individual systems access could not be revoked until the whole group had switched to a new preshared key.

*       As Microsoft has documented in online help, resource kit chapters, and in Q248711 in the Microsoft Knowledge Base, the Windows 2000 IPSec preshared key is provided only for RFC compliance, for interop testing, and interoperability where security is not a concern. The preshared key is stored in the local registry which only local administrators have read access to, but local administrators have to know it, set it, and thus any local administrator can see it in the future or change it.

*       The support cost of using a preshared key both for customers and for Microsoft would be high.

*       Getting a Windows 2000-based computer certificates can be as easy as a Web page request, or even easier by using Windows 2000 Group Policy autoenrollment when the Windows 2000-based client is a member of a Windows 2000 domain (and is the secure method for deploying IPSec-based VPN in general).

Microsoft does support VPN L2TP/IPSec tunnels gateway-to-gateway with a preshared key because it must be configured locally on that gateway by a very knowledgeable gateway administrator on a per-static IP basis. IPSec tunnels are only supported where static IP addresses are used, and for address-based policy selectors only, not port and protocol. Microsoft recommends using L2TP/IPSec for gateway-to-gateway. Use IPSec tunnel mode for gateway-to-gateway only if L2TP/IPSec is not an option.

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of a L2TP/IPSec connection to prevent the automatic filter for L2TP/IPSec traffic from being created. When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSec policy. To add the ProhibitIpSec registry value to your Windows 2000-based computer, use Registry Editor (Regedt32.exe) to locate the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

Add the following registry value to this key:

Value Name: ProhibitIpSec
Data Type: REG_DWORD
Value: 1

Note that you must restart your Windows 2000-based computer for the changes to take effect.

How to Create an IPSec Policy for Use with L2TP/IPSec Connections Using a Pre-shared Key

NOTE: The following procedure assumes the ProhibitIpSec registry value described earlier in this article has already been added to both Windows 2000-based RRAS endpoint servers, and that the Windows 2000-based RRAS endpoint servers have been restarted.

1.            Click Start, click Run, type mmc, and then click OK.

2.            Click Console, click Add/Remove Snap-in, click Add, click IP Security Policy Management, click Finish, click Close, and then click OK.

3.            Right-click IP Security Policies on Local Machine, click Create IP Security Policy, and then click Next.

4.            In the IP Security Policy Name dialog box, type the name for the IP Security policy in the Name box, and then click Next.

5.            In the Requests for Secure Communication dialog box, click to clear the Activate the default response rule check box, and then click Next.

6.            Click to select the Edit Properties check box, and then click Finish.

7.            In the New IP Security Policy Properties dialog box, on the Rules tab, click Add, and then click Next.

8.            In the Tunnel Endpoint dialog box, click This rule does not specify a tunnel, and then click Next.

9.            In the Network Type dialog box, click All network connections, and then click Next.

10.       In the Authentication Method dialog box, click Use this string to protect the key exchange (pre-shared key), type a pre-shared key, and then click Next.

11.       In the IP Filter List dialog box, click Add, type a name for the IP filter list in the Name box, click Add, and then click Next.

12.       In the IP Traffic Source dialog box, click A specific IP Address in the Source address box, type the Transport Control Protocol/Internet Protocol (TCP/IP) address of the source Windows 2000-based RRAS server in the IP Address box, and then click Next.

NOTE: The source address used on each Windows 2000-based RRAS endpoint server must match. For example, if the source address is 1.1.1.1, you must use 1.1.1.1 as a source address on both Windows 2000-based RRAS endpoint servers.

13.       In the IP Traffic Destination dialog box, click A specific IP Address in the Destination address box, type the TCP/IP address of the destination Windows 2000-based RRAS server, and then click Next.

NOTE: The destination address used on each Windows 2000-based RRAS endpoint server must match. For example, if the destination address is 2.2.2.2, you must use 2.2.2.2 as a destination address on both Windows 2000-based RRAS endpoint servers.

14.       In the IP Protocol Type dialog box, click UDP in the Select a protocol type box, and then click Next.

15.       In the IP Protocol Port dialog box, click From this port, type 1701 in the From this port box, click To any port, and then click Next.

16.       Click to select the Edit properties check box, click Finish, click to select the Mirrored. Also match packets with the exact opposite source and destination addresses check box in the Filter Properties dialog box, click OK, and then click Close.

17.       In the IP Filter List dialog box, click the IP filter you just created, and then click Next.

18.       In the Filter Action dialog box, click Add and create a new Filter Action specifying which Integrity and Encryption algorithms to be used.

NOTE: This new Filter Action must have "Accept unsecured communication, but always respond using IPSec" disabled to be secure.

19.       Click Next, click Finish, and then click Close.

20.       Right-click the IPSec policy you just created, and then click Assign.

NOTE: You must configure both Windows 2000-based RRAS endpoint servers the exact same way. The IPSec filter is viewed from one side of the connection when it is set up on the first Windows 2000-based RRAS endpoint server, and then a replica of the IPSec filter is created on the second Windows 2000-based RRAS endpoint server. Based on the example described earlier in this article, if the first Windows 2000-based RRAS endpoint server has a TCP/IP address of 1.1.1.1, and the second Windows 2000-based RRAS endpoint server has a TCP/IP address of 2.2.2.2, a filter would be created within the IPSec policy on both Windows 2000-based RRAS endpoint servers with a source address of 1.1.1.1, and a destination address of 2.2.2.2. This permits either Windows 2000-based RRAS endpoint server to initiate the connection.

How to Configure an IPSec Policy to Accept Connections Using Multiple Pre-shared Keys or CAs

After a policy is created with a filter using a Pre-shared Key, it is necessary to create an additional rule within the IPSec policy for other connections requiring different Pre-shared Keys or CAs.

For additional information about automatic filters created by Windows 2000 that use CAs, click the article number below to view the article in the Microsoft Knowledge Base:

248750 Description of the Automatic Filter Created for Use with L2TP/IPSec

253498 How to Install a Certificate for Use with IP Security

Also check the white papers at the following Microsoft Web sites:

http://www.microsoft.com/windows2000/techinfo/howitworks/security/ip_security.asp

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp