INTRODUCTION
This step-by-step article describes how to disable the
automatic Layer Two Tunneling Protocol (L2TP)/Internet Protocol security
(IPsec) policy.
The Microsoft Windows 2000 Routing and Remote Access service
supports the L2TP/IPsec protocol. The Microsoft implementation of
L2TP/IPsec is fully compliant with Request for Comments (RFC) standards. The implementation provides the highest level of security for virtual private network (VPN)
connections. Currently, only Windows 2000, Microsoft Windows XP, and selected third-party
operating systems support the L2TP/IPsec VPN client computer role.
Windows 2000 automatically creates an IPsec policy if an L2TP/IPsec VPN link is
established. The IPsec policy requires that you install computer certificates on
both the Routing and Remote Access VPN server and the VPN client. You can
obtain certificates from a Microsoft Certificate server or from a
third-party provider.
If you are a security administrator, you may
want to disable the default automatic L2TP/IPsec policy because an established
Public Key Infrastructure (PKI) is not present. You may also want to disable
the automatic IPsec policy for testing purposes. You can establish pure L2TP
tunnels if you disable the policy. However, these tunnels are not secure
because IPsec is responsible for tunnel security.
You can use a
preshared key to create gateway-to-gateway VPN links after you disable the
automatic L2TP/IPsec policy. We recommend that you use a preshared key
only for testing. Microsoft does not support using preshared keys in
production environments.
For additional information about how to use
a preshared key to configure an IPsec policy, click the following article number to view the article in the Microsoft Knowledge Base:
240262 How to configure an L2TP/IPsec
connection by using Preshared Key Authentication
back to the top
How to disable the automatic L2TP/IPsec policy
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
You must add the ProhibitIpSec registry value to each Windows
2000-based endpoint computer of a L2TP/IPsec connection. This registry value prevents the
automatic filter for L2TP/IPsec traffic from being created. When the
ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does
not create the automatic filter that uses certification authority (CA)
authentication. Instead, the computer checks
for a local or Active Directory directory service IPsec policy.
To add the ProhibitIpSec registry value, follow these steps:
- Start Registry Editor.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
- On the Edit menu, click Add Value.
- Type prohibitipsec in the Value Name box, click REG_DWORD in the Data Type box, and then click OK.
- Type 1 in the Data box, and then click OK.
- Quit Registry Editor, and then restart the
computer.
back to the top
Troubleshooting
If you set the ProhibitIpSec value to 1, the Routing and Remote Access VPN server does not create a
filter to use certificates for IPsec authentication. The Routing and Remote
Access VPN server uses either a local IPsec policy or an Active Directory IPsec
policy. You can configure IPsec policies on the local Routing and Remote
Access VPN server, or you can use Group Policy to push the IPsec policies to
Routing and Remote Access VPN servers.
When this policy is disabled and when no domain or local
policies are assigned, L2TP connections will be tried without IPsec (UDP
1701 packets). If the policy has been disabled on both the client and the server, you can create an L2TP tunnel without IPsec.
WARNING If you disable IPsec for L2TP connections, you will create a severe limitation in
security. This configuration is recommended only for troubleshooting.
back to the top