Configured IPSec Policy is not working.

[Senthil Kumar B]

I want to do a plain L2TP testing by adding a IPSec bypass
policy for the L2TP traffic alone.

I have configured a new IPSec policy (ANY source, ANY
destination and ANY protocol to be permitted, so basically
bypassing IPSec) for L2TP. I have restarted the IPSec
Policy Agent and tried rebooting the machine too. But for
some reason, when i try to connect using L2TP client, I am
getting Error 789:.

I hope "ProhibitIpSec" is not needed for this
configuration as it is something to do with IPSec policy
itself.

 

[Priya Raghavan [MSFT]]

Do the client and server have the same policy setting (ANY source, ANY
destination and ANY protocol to be permitted ) ?
In general the policies on the client and server should be mirrored. If the
client policy encrypts the packets going to 1701 port, then the server
should have a similar policy.

 

[Senthil Kumar B]

Both the server and the client have the same policies. As
the IPSec Exception Policy is to premit all the protocols,
to any destination from any source, i would expect L2TP to
simply send the packet without any IPSec
header/Encryption. (Plain L2TP policy for this rule.
Basically I am trying to Bypass the IPSec).

Basically the problem here is that the L2TP is not even
start connecting. It checks some policy in the Win2k
client and throwing the error message (Error 789:...).
Generally, one can avoid this error messge by adding
ProhibitIpSec parameter to HKLM>CurrentControlSet-services-

Rasman>Parameters. But I still want to use IPSec policy

for other things. I want the Plain L2TP only for a
particular source and destianation(by passs IPSec) and
other rules still need a differenet IPSec policy. So I
can't use ProhibitIpSec.

Please let me know if there is a way to do it.

 

[David Beder [MSFT]]

Are you using the MS L2TP/IPSec vpn client? If so, ProhibitIpsec is actually
the way you want to go. The key isn't meant to say that ipsec is going to be
prohibited. Instead it means that the default ipsec policy created by the
RRAs engine will not be engaged (which seems to be causing the policy
conflict), thus allowing you to use your own ipsec policy rather than that
of the vpn client.

 

[Senthil Kumar B]

Thanks for the quick response. Does it mean that the user
has to reboot the machine (as ProhibitIpSec activation
requires a reboot)when he adds the first IPSec policy of
his own.? Does it also mean that the corporate Admins
enable ProhibitIpSec by default for their employee laptops?

What is the default filter rule and filter policy
(Bypass/apply/deny)?

Basically I am trying to avoid rebooting the machine. So
Is there any other way to avoid engaging the default IPSec
policy of RRAS ? Basically, I don't want to reboot the
machine.

Senthil

 

[David Beder [MSFT]]

RRAS creates it's filters fairly dynamically, so as long as you don't have
an active l2tp/ipsec connection up, you shouldn't need any rebooting.

Generally the reason corporate admins are deploying vpn connections with the
ProhibitIPSec key set is that they're currently working on a certificate/pki
deployment but aren't quite there yet and need to use a pre-shared key for
the moment-- an option which I don't think was available in the win2k ras
UI. Alternately they might have IPSec enabled NAS devices that don't have
pki support, but this is getting rarer as vpn technology matures.
Similarly users who want to let others connect to their machines using
L2TP/IPSec, might do the same since the Incomming Connections UI does not
have pre-shared key support.

As for the RRAS filters themselves, they're fairly basic, requiring ipsec
between the local computer and the vpn server. The level of authentication
and encryption will depend on the security settings of the connection. eg,
if you check the option in the connection for encryption, this will map to
needing ESP with encryption.

Now, why exactly do you want to use l2tp without any ipsec protection rather
than just going with PPTP which would probably be a more secure
configuration?

 

[Senthil Kumar B]

I am doing some testing and don't want to handle PPTP (as
i need to handle the GRE packets in the raw socket...)

So I am looking for a plain l2tp without IPSec for this
case alone.

thanks for your help.

Senthil