Configuring Windows 2000 for L2TP over IPSec with PSK ----------------------------------------------------- Author: Stephan Scholz Version: 1.0 Date: 20.4.2004 Abstract -------- This document contains a tutorial how to configure Windows 2000 for using pre-shared key (PSK) as IPSec authentication for L2TP. Since Windows 2000 (in contrast to Windows XP) does not offer the selection of a PSK in the network connection wizard, the PSK and the IPSec connection needs to be configured manually. Warning: This should be used by experienced users only! Tutorial -------- 1. Enable the usage of local IPSec policies (registry editor) - Start the registry editor by entering "regedit" at "Start->Run" - Traverse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters - Add new registry entry in this section by selecting "Edit->New->DWORD Value": Enter name: ProhibitIpSec - Double click on the new item and change its value data to "1" - Exit regedit - Reboot your computer for the changes to take effect 2. Configure the IPSec policy (management console) - Start the management console by entering "mmc" at "Start->Run" - Select the menu "Console->Add/Remove Snap-in" - Click on "Add" - Select "IP Security Policy Management" from the list - Click on "Add", then on "Finish", afterwards on "Close", then on "OK" - Right click on "IP Security Policies on Local Machine" in the tree view, and select "Create IP Security Policy" - The IPSec Policy Wizard shows up. Click on "Next" - Enter a name for your new policy, e.g. "L2TP Roadwarrior". Click on "Next" - Disable the option "Activate the default response rule". Click on "Next" - Make sure that "Edit properties" is selected. Press on "Finish" - In the dialog box, click on "Add". - The Security Rule Wizard show up. Click on "Next" - Select "This rule does not specify a tunnel" and click on "Next" - Select "All network connections" and click on "Next" - Select "Use this string to protect the key exchange (preshared key)", enter the IPSec PSK in the corresponding field and click on "Next" - In the IP Filter List dialog box, click on "Add" - Enter the name of your filter list (e.g. "L2TP filter list") and click on "Add" - The IP Filter Wizard show up. Click on "Next" - As "Source address", select "My IP Address" and click on "Next" - As "Destination address", select "A specific IP Address" and enter the IP address of your L2TP/IPSec gateway. Click on "Next" - Select "UDP" as protocol type and click on "Next" - Select "From this port" and enter "1701" in the corresponding field. Select "To this port" and enter "1701" in the corresponding field. Afterwards click on "Next" - Make sure that the "Edit properties" option is disabled and press "Finish" - Click on "Close" to close the IP Filter List dialog box - In the Security Rule Wizard, select your newly created filter list and click on "Next" - Select the "Require Security" option and click on "Edit" - Disable the "Accept unsecured communication, but always respond using IPSec" option and click on "OK" to close the dialog box - Click on "Next" - Make sure that the "Edit properties" option is deactivated, and press "Finish" - Click on "Close" to close the dialog box - Your new policy should show up on the right side of the mmc window. Right-click on the policy and select "Assign" to activate it - Close the mmc 3. Restart IPSec service - Start the service manager by entering "services.msc" at "Start->Run" - Restart the "IPSEC Policy Agent" 4. Configure L2TP connection (network connections) - Open the network connections configuration by starting "Start->Settings->Network and Dial-up Connections" - Double-click on "Make New Connection" - The Network Connection Wizard shows up. Click on "Next" - Select "Connect to a private network through the Internet" and click on "Next" - Select "Do not dial the initial connection" and click on "Next" - Enter the IP address of your VPN gateway and click on "Next" - Select either "For all users" or "Only for myself", at your choice, and click on "Next" - Enter a name of your choice, e.g. "L2TP to office" and click on "Finish" - In the login window, click on "Properties" - Select tab "Security" and disable the option "Require data encryption (disconnect if none)" - Select tab "Networking"and select "Layer-2 Tunneling Protocol (L2TP)" for "Type of VPN server I am calling" - Click on "OK" to close the properties dialog box - Enter your user name and password 5. Initiate connection - Click on the "Connect" button Links ----- Microsoft Knowledge Base Article - 240262: "How to Configure an L2TP/IPSec Connection Using Pre-shared Key Authentication": http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q240/2/62.asp&NoWebContent=1 "Using FreeS/WAN with Windows L2TP/IPsec": http://www.jacco2.dds.nl/networking/freeswan-l2tp.html NAT-T Patches for Win2K and WinXP: ftp://support:AstaroSupport04@ftp.astaro.de/IPSec_NAT-T_Patch_818043/