Has anyone got Win2K RRAS <-> XP Pre-Shared Keys to work through VPN?

G

Greg West

I am attempting to use IPSec/LT2P Pre-Shared Keys to authenticate
between XP clients and a Windows 2000 RRAS server. Yes, I know
Pre-Shared Keys are not directly supported by Microsoft.

I have read article http://support.microsoft.com/kb/240262/EN-US but
that talks about connecting 2 Win2K RRAS servers over a LAN. I have
created a new security policy as per the article but since I am new to
security I really don't know if I have configured it correctly. I set
the key on the VPN connection to match what I configured in the new
security policy.

I also added the registry entry as described in the article to the
Win2K RRAS server but it didn't help.

Has anyone been able to get this to work? I would be very grateful
for any help.

Greg
 
S

Steven L Umbach

I have not read of anyone being able to do such and due to the fact that it
is not hard to set up a Certificate Authority to issue computer certificates
for the VPN server and client computers it would be surprising if many have
actually tried. Since you have a W2K server, you could also make it a CA to
issue certificates which would be much easier and more secure than creating
custom ipsec policies using preshared keys. The links below show the basics
of setting up a CA to issue ipsec certificates for l2tp. For a non domain
you would need to install a stand alone CA as an Enterprise CA can only
exist in AD domains.

http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp
-- setup CA
http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp -
- Web Enrollment
http://support.microsoft.com/kb/253498/EN-US/ -- how to install ipsec
certificate.

Other considerations are that l2tp will not work if NAT is used in the VPN
connection, which is what most of the home and small business
"router/firewalls" use to provide internet access and the proper ports must
be opened on firewalls in the path to the VPN server. L2tp VPN server
requires traffic to be allowed for ports 500 and 1701 UDP and also allow
ESP/protocol 50 often referred to as l2tp or ipsec passthrough. The router
on the client end would also need to be configured to allow l2tp/ipsec
passthrough. Pptp will work fine through NAT devices and can also be a very
secure VPN for most applications as long as mschapv2 user authentication is
used along with complex user passwords. -- Steve
 
R

Robert L [MS-MVP]

I did work on a few cases like this. I think the article is clear,
especially Tunnel setting. try to use netdiag to troubleshoot it.
Quoted form http://www.ChicagoTech.net
How to use Netdiag to view the policies of IPSec/L2TP
Without an active IPSec/L2TP connection, you can use netdiag to view the
policy of IPSec/L2TP, for example, netdiag /test:ipsec /debug.


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.
 
S

Steve Clark [MSFT]

Who told you PSK are not supported by Microsoft?

That feature is 100% supported. It's not recommended to use PSK in a domain
scenario where the PSK is written to the domain NC, since anyone that can
enumerate the domain NC can view the PSK.
 
G

Greg West

I called up Microsoft Technical Support and they told me it was not
directly supported.

To quote the Microsoft support article
http://support.microsoft.com/kb/240262/EN-US/

"Although Microsoft does not support or recommend the use of a
preshare key for IKE authentication on remote access L2TP/IPSec client
connections..."

Are you able to help me?

Greg
 
S

Steve Clark [MSFT]

Ok, I see where we are now.

So to clarify, PSK is supported on transport more and IPsec tunnel mode, but
*not* for Remote Access scenarios.

I thought the inference here was that PSK itself was not a supporte AuthN
mechanism, which is not the case.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top