Microsoft L2TP/IPSec VPN Client

Microsoft L2TP/IPSec VPN Client is a free download that allows computers running Windows 98, Windows Millennium Edition (Me), or Windows NT® Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections with Internet Protocol security (IPSec). The combination of L2TP and IPSec, known as L2TP/IPSec, is a highly secure technology for making remote access virtual private network (VPN) connections across public networks such as the Internet. Microsoft L2TP/IPSec VPN Client also provides support for IPSec Network Address Translator (NAT) traversal.

About Microsoft L2TP/IPSec VPN Client

With the release of Windows 2000, Microsoft introduced the Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec) VPN protocol as a highly secure and interoperable alternative to the well-established Point-to-Point Tunneling Protocol (PPTP) that was already supported on all Windows platforms and most commercial VPN servers. L2TP takes advantage of existing mechanisms for user authentication and client configuration. L2TP/IPSec uses IPSec to provide mutual authentication between the user's computer and the VPN server and strong encryption for all of the data exchanged between the client and the server.

The Microsoft L2TP/IPSec VPN Client client—designed specifically for Windows 98, Windows Millennium Edition (Me), and Windows NT Workstation 4.0 —uses the same L2TP/IPSec protocol as Windows XP and Windows 2000 and enables customers to deploy a consistent and secure VPN remote access solution across a diverse set of computers running Windows.

Microsoft L2TP/IPSec VPN Client allows connections to a Windows 2000 or compatible VPN server from computers running the following operating systems:

§                     Windows 98 (all versions) with Microsoft Internet Explorer 5.01 (or later) and the Dial-up Networking version 1.4 upgrade.

§                     Windows Me with the Virtual Private Networking communications component and Microsoft Internet Explorer 5.5 (or later)

§                     Windows NT Workstation 4.0 with Remote Access Service (RAS), the Point-to-Point Tunneling Protocol, Service Pack 6, and Microsoft Internet Explorer 5.01 (or later)

Notes

Internet Explorer 5.01 or later must be installed on your computer but does not need to be running and does not need to be the default browser.

The implementation of IPSec in Microsoft L2TP/IPSec VPN Client only provides IPSec protection for L2TP traffic.

How to install and remove

To install Microsoft L2TP/IPSec VPN Client, copy the installer program (MSL2TP.EXE) to your computer and run it. The installer program will check your system and install Microsoft L2TP/IPSec VPN Client. It will also install the Microsoft IPSec VPN Configuration Utility and a help file, both of which can be accessed by clicking Start, pointing to Programs, and then pointing to Microsoft IPSec VPN.

To remove Microsoft L2TP/IPSec VPN Client and its associated configuration utility and help file, use the Add or Remove Programs utility in the Control Panel.

Using Microsoft L2TP/IPSec VPN Client

Microsoft L2TP/IPSec VPN Client for Windows 98, Windows Me and Windows NT Workstation 4.0 provides a natural extension to the VPN support already present in these operating systems.

§                     In Windows 98 and Windows Me, installation of Microsoft L2TP/IPSec VPN Client adds a Microsoft L2TP/IPSec VPN Adapter, similar to the PPTP adapter that is already built into the operating system.

§                     In Windows NT Workstation 4.0, Microsoft L2TP/IPSec VPN Client adds RASL2TPM to the list of devices available for remote access.

To create an L2TP/IPSec connection, create a new connection in the Dial-Up Networking folder using the Make a New Connection wizard, and simply choose the Microsoft L2TP/IPSec VPN Adapter as the device (or the RASL2TPM device for Windows NT Workstation 4.0). Just as in creating a PPTP-based VPN connection, provide the IP address or name of the VPN server rather than a telephone number for this connection.

When used in a network that supports a public key infrastructure (PKI) that issues digital certificates, Microsoft L2TP/IPSec VPN Client will connect without requiring any additional configuration. If your VPN server requires use of a pre-shared key instead of a certificate for authenticating the client computer to the VPN server, you can configure pre-shared key authentication using the Microsoft IPSec VPN Configuration Utility.

Answers to frequently asked questions about Microsoft L2TP/IPSec Client can be found in Frequently Asked Questions about Microsoft L2TP/IPSec Client.

Information about the use of certificates and pre-shared keys for authentication, deploying Microsoft L2TP/IPSec VPN Client, and troubleshooting tools and common problems can be found in the Administrator's Guide to Microsoft L2TP/IPSec VPN Client.

Additional information about limitations and compatibility issues and troubleshooting can be found in the Release Notes.

Network Address Translator (NAT) Traversal

Microsoft L2TP/IPSec VPN Client includes support for a proposed extension of IPSec that can traverse a Network Address Translator (NAT), a device commonly used to provide networks with shared access to the Internet. The new behavior will be enabled whenever the client connects to a VPN server that also supports the proposed NAT-Traversal extensions for IPSec (described in the IETF Internet drafts titled "UDP Encapsulation of IPSec Packets" [draft-ietf-ipsec-udp-encaps-02.txt] and "Negotiation of NAT-Traversal in the IKE" [draft-ietf-ipsec-nat-t-ike-02.txt]). Microsoft plans to support these extensions in the Windows Server 2003 family and other industry leaders have NAT Traversal-capable VPN servers in development.

Required Operating System Components

§                     Dial-Up Networking version 1.4 Upgrade
See the Microsoft Knowledge Base article Q285189 to download the Dial-Up Networking version 1.4 Upgrade for Windows 98 and Windows 98 Second Edition (SE). The links to the download files are available in the "More Information" section of the article.

§                     Microsoft Internet Explorer
See the Internet Explorer home page to download the latest version of Internet Explorer.

§                     Windows NT 4.0 Service Pack 6a
Get Windows NT Service Pack 6a.

Additional Resources

§                     Microsoft L2TP/IPSec VPN Client Overview
The May 2002 TechNet Cable Guy article provides an overview of Microsoft L2TP/IPSec VPN Client.

§                     IKE Negotiation for IPSec Security Associations
The June 2002 TechNet Cable Guy article provides an in-depth look at the series of Internet Key Exchange (IKE) protocol messages that are exchanged during Quick Mode and Main Mode IPSec security association (SA) negotiation.

§                     How to Configure an L2TP/IPSec Connection Using Pre-shared Key Authentication
This Microsoft Knowledge Base article describes how to configure a VPN server running a member of the Windows 2000 Server family to use pre-shared key authentication for L2TP/IPSec connections.

§                     IETF IP Security Protocol Working Group
This page contains Internet Engineering Task Force (IETF) Internet drafts and Request for Comments (RFCs) that specify IPSec.

Related Web Sites

§                     Virtual Private Networks
This Microsoft Web site contains links to white papers describing Microsoft support for VPN connections.

§                     Windows Server 2003 Family
This Microsoft Web site contains links to resources describing the upcoming Windows Server 2003 family of operating systems.

§                     IPSec
This Microsoft Web site contains links to white papers and other resources describing Windows 2000 and Windows XP support for IPSec.

§                     Security Services
This Microsoft Web site contains links to white papers describing support for security in Windows 2000. This site contains many papers on public key infrastructure (PKI) and the use of certificates.