Hi
Maybe this will help
How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication
IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that
you understand how to restore the registry if a problem occurs. For
information about how to back up, restore, and edit the registry, click the
following article number to view the article in the Microsoft Knowledge
Base:
256986 - Description of the Microsoft Windows Registry
http://support.microsoft.com/default.aspx?scid=kb;EN-US;256986
SUMMARY
===============
Windows 2000 automatically creates an Internet Protocol Security (IPSec)
policy to be used with Layer 2 Tunneling Protocol (L2TP)/IPSec connections
that requires a certificate for Internet Key Exchange (IKE) authentication.
Although Microsoft does not support or recommend the use of a preshare key
for IKE authentication on remote access L2TP/IPSec client connections
(should be used for testing only), Windows 2000 is compliant with IKE RFC
2409 and provides a way to implement it. L2TP/IPSec gateway-to-gateway VPN
implementations by using a preshare key for IKE authentication are
supported.
To implement the Pre-shared Key authentication method for use with a
L2TP/IPSec connection:
o You must add the ProhibitIpSec registry value to both Windows 2000-based
endpoint computers.
o You must manually configure an IPSec policy before a L2TP/IPSec
connection can be established between two Windows 2000-based computers.
This article describes how to configure two Windows 2000-based Routing and
Remote Access Service (RRAS) servers that are connected over a Local Area
Network (LAN) to use a L2TP/IPSec connection with Pre-shared Key
authentication. Also included is information about how to configure an
IPSec policy to accept connections using multiple Pre-shared Keys or CAs.
The reasons Microsoft does not support preshared key for L2TP/IPSec VPN
clients are:
o It subjects a secure protocol to a well-known insecure usage problem
(choosing passwords) - published attacks have been shown to expose weak
preshared keys.
o It is not securely deployable. Because access to the company gateway is
required by the user that is configuring a preshared key, many users will
know this, and it becomes a "group preshared key". A long preshared key
would almost certainly need to be written down. Individual systems access
could not be revoked until the whole group had switched to a new preshared
key.
o As Microsoft has documented in online help, resource kit chapters, and
in Q248711 in the Microsoft Knowledge Base, the Windows 2000 IPSec
preshared key is provided only for RFC compliance, for interop testing, and
interoperability where security is not a concern. The preshared key is
stored in the local registry which only local administrators have read
access to, but local administrators have to know it, set it, and thus any
local administrator can see it in the future or change it.
o The support cost of using a preshared key both for customers and for
Microsoft would be high.
o Getting a Windows 2000-based computer certificates can be as easy as a
Web page request, or even easier by using Windows 2000 Group Policy
autoenrollment when the Windows 2000-based client is a member of a Windows
2000 domain (and is the secure method for deploying IPSec-based VPN in
general).
Microsoft does support VPN L2TP/IPSec tunnels gateway-to-gateway with a
preshared key because it must be configured locally on that gateway by a
very knowledgeable gateway administrator on a per-static IP basis. IPSec
tunnels are only supported where static IP addresses are used, and for
address-based policy selectors only, not port and protocol. Microsoft
recommends using L2TP/IPSec for gateway-to-gateway. Use IPSec tunnel mode
for gateway-to-gateway only if L2TP/IPSec is not an option.
MORE INFORMATION
=========================
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.
You must add the ProhibitIpSec registry value to each Windows 2000-based
endpoint computer of a L2TP/IPSec connection to prevent the automatic
filter for L2TP/IPSec traffic from being created. When the ProhibitIpSec
registry value is set to 1, your Windows 2000-based computer does not
create the automatic filter that uses CA authentication. Instead, it checks
for a local or Active Directory IPSec policy. To add the ProhibitIpSec
registry value to your Windows 2000-based computer, use Registry Editor
(Regedt32.exe) to locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
Add the following registry value to this key:
Value Name: ProhibitIpSec
Data Type: REG_DWORD
Value: 1
Note that you must restart your Windows 2000-based computer for the changes
to take effect.
How to Create an IPSec Policy for Use with L2TP/IPSec Connections Using a
Pre-shared Key
NOTE: The following procedure assumes the ProhibitIpSec registry value
described earlier in this article has already been added to both Windows
2000-based RRAS endpoint servers, and that the Windows 2000-based RRAS
endpoint servers have been restarted.
1. Click Start, click Run, type mmc, and then click OK.
2. Click Console, click Add/Remove Snap-in, click Add, click IP Security
Policy Management, click Finish, click Close, and then click OK.
3. Right-click IP Security Policies on Local Machine, click Create IP
Security Policy, and then click Next.
4. In the IP Security Policy Name dialog box, type the name for the IP
Security policy in the Name box, and then click Next.
5. In the Requests for Secure Communication dialog box, click to clear the
Activate the default response rule check box, and then click Next.
6. Click to select the Edit Properties check box, and then click Finish.
7. In the New IP Security Policy Properties dialog box, on the Rules tab,
click Add, and then click Next.
8. In the Tunnel Endpoint dialog box, click This rule does not specify a
tunnel, and then click Next.
9. In the Network Type dialog box, click All network connections, and then
click Next.
10. In the Authentication Method dialog box, click Use this string to
protect the key exchange (pre-shared key), type a pre-shared key, and then
click Next.
11. In the IP Filter List dialog box, click Add, type a name for the IP
filter list in the Name box, click Add, and then click Next.
12. In the IP Traffic Source dialog box, click A specific IP Address in
the Source address box, type the Transport Control Protocol/Internet
Protocol (TCP/IP) address of the source Windows 2000-based RRAS server in
the IP Address box, and then click Next.
NOTE: The source address used on each Windows 2000-based RRAS endpoint
server must match. For example, if the source address is 1.1.1.1, you must
use 1.1.1.1 as a source address on both Windows 2000-based RRAS endpoint
servers.
13. In the IP Traffic Destination dialog box, click A specific IP Address
in the Destination address box, type the TCP/IP address of the destination
Windows 2000-based RRAS server, and then click Next.
NOTE: The destination address used on each Windows 2000-based RRAS
endpoint server must match. For example, if the destination address is
2.2.2.2, you must use 2.2.2.2 as a destination address on both Windows
2000-based RRAS endpoint servers.
14. In the IP Protocol Type dialog box, click UDP in the Select a protocol
type box, and then click Next.
15. In the IP Protocol Port dialog box, click From this port, type 1701 in
the From this port box, click To any port, and then click Next.
16. Click to select the Edit properties check box, click Finish, click to
select the Mirrored. Also match packets with the exact opposite source and
destination addresses check box in the Filter Properties dialog box, click
OK, and then click Close.
17. In the IP Filter List dialog box, click the IP filter you just
created, and then click Next.
18. In the Filter Action dialog box, click Add and create a new Filter
Action specifying which Integrity and Encryption algorithms to be used.
NOTE: This new Filter Action must have "Accept unsecured communication,
but always respond using IPSec" disabled to be secure.
19. Click Next, click Finish, and then click Close.
20. Right-click the IPSec policy you just created, and then click Assign.
NOTE: You must configure both Windows 2000-based RRAS endpoint servers the
exact same way. The IPSec filter is viewed from one side of the connection
when it is set up on the first Windows 2000-based RRAS endpoint server, and
then a replica of the IPSec filter is created on the second Windows
2000-based RRAS endpoint server. Based on the example described earlier in
this article, if the first Windows 2000-based RRAS endpoint server has a
TCP/IP address of 1.1.1.1, and the second Windows 2000-based RRAS endpoint
server has a TCP/IP address of 2.2.2.2, a filter would be created within
the IPSec policy on both Windows 2000-based RRAS endpoint servers with a
source address of 1.1.1.1, and a destination address of 2.2.2.2. This
permits either Windows 2000-based RRAS endpoint server to initiate the
connection.
How to Configure an IPSec Policy to Accept Connections Using Multiple
Pre-shared Keys or CAs
After a policy is created with a filter using a Pre-shared Key, it is
necessary to create an additional rule within the IPSec policy for other
connections requiring different Pre-shared Keys or CAs.
For additional information about automatic filters created by Windows 2000
that use CAs, click the article number below to view the article in the
Microsoft Knowledge Base:
248750 - Description of the Automatic Filter Created for Use with
L2TP/IPSec
253498 - How to Install a Certificate for Use with IP Security
Also check the white papers at the following Microsoft Web sites:
http://www.microsoft.com/windows2000/techinfo/howitworks/security/ip_securit
y.asp
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.a
sp
The information in this article applies to:
o Microsoft Windows 2000 Server
o Microsoft Windows 2000 Advanced Server
o Microsoft Windows 2000 Professional
o Microsoft Windows 2000 Datacenter Server
Reference Link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;240262&Product=win20
00
Shilpa Sinha
This posting is provided "AS IS" with no warranties, and confers no rights.
