Description of the IPSec policy created for L2TP/IPSec (248750)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q248750

SUMMARY

Windows automatically creates an IP Security Protocol (IPSec) policy for use with Layer 2 Tunneling Protocol (L2TP)/IPSec connections. This IPSec policy uses local computer certificates for mutual authentication.

MORE INFORMATION

L2TP Server Policy Creation

The IPSec policy is automatically created by the Routing and Remote Access Services (RRAS) server, which includes the policy in the IPSec Policy agent when it starts during boot. If the Policy agent is stopped or restarted, the L2TP IPSec policy is lost. If RRAS is started while Policy agent is stopped, this policy creation does not succeed. Therefore, if Policy agent needs to be restarted or is already stopped, you must stop and start Policy agent and then stop and start RRAS for the policy to be properly created.

The L2TP server filters created are in the form of "Me to Any", "Source port: Any", and "Destination port: UDP 1701", where 'Me' represents the IP address(es) bound to the server computer.

L2TP Client Policy Creation

On the client, the filters are included in the Policy agent when the L2TP connection is attempted by using a connection in Network and Dial-up Connections or by using a dial-on-demand (DOD) interface in the RRAS management console. These filters are created with the following format: "Me to Server", "Source port: UDP 1701", and "Destination port: Any", where 'Server' represents the IP address the client was configured to connect to. These filters remain for the lifetime of the L2TP connection and are deleted when the connection is terminated.

Viewing the Automatic Policy

The policy is not viewable within the IP Security Policies snap-in, and is not configurable. However, you can view the policy itself by using the Netdiag tool after Policy agent and RRAS startup; also, after a connection is made, you can use Ipsecmon to view the policy/security associations that the two computers have agreed upon.

Ipsecmon

After a connection has been made, you can use the Ipsecmon utility to view the policies that are in effect. For example, you may see items similar to the following sample output for a default L2TP/IPSec connection (client-to-server or server-to-server):

Policy name: L2TP Rule
Security: ESP DES/CBC HMAC MD5
Filter name: No Name - Mirror
Source address: IP address or name of computer
Dest. address: IP address or name of computer
Protocol: UDP
Src. port: 1701
Dest. port: 0
Tunnel endpoint: <none>

Netdiag

To view the policy without an active connection, view the IPSec policy while it is in effect by using the Netdiag tool. The command to view the currently active IPSec policy is:

netdiag /test:ipsec /debug

The Netdiag tool is available after installing the Windows Support Tools package. This package is located in the Support\Tools folder on the Windows CD-ROM. After you install this package, Netdiag is located in the Program Files\Support Tools folder.

Pre-Shared Keys

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

240262 How to configure a L2TP/IPSec connection using pre-shared key authentication

Modification Type:MinorLast Reviewed:5/4/2004
Keywords:kbinfo kbIPSec KB248750
©2004 Microsoft Corporation. All rights reserved.