Re: Configured IPSec Policy is not working.
From: David Beder [MSFT] (dbeder_at_online.microsoft.com)
Date: 09/09/04
- Next message: Sharoon Shetty K [MSFT]: "Re: 756 This connection is already being dialed"
- Previous message: Manjari Bonam [MSFT]: "Re: hi"
- In reply to: Senthil Kumar B: "Re: Configured IPSec Policy is not working."
- Next in thread: Senthil Kumar B: "Re: Configured IPSec Policy is not working."
- Reply: Senthil Kumar B: "Re: Configured IPSec Policy is not working."
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 9 Sep 2004 00:33:26 -0700
RRAS creates it's filters fairly dynamically, so as long as you don't have
an active l2tp/ipsec connection up, you shouldn't need any rebooting.
Generally the reason corporate admins are deploying vpn connections with the
ProhibitIPSec key set is that they're currently working on a certificate/pki
deployment but aren't quite there yet and need to use a pre-shared key for
the moment-- an option which I don't think was available in the win2k ras
UI. Alternately they might have IPSec enabled NAS devices that don't have
pki support, but this is getting rarer as vpn technology matures.
Similarly users who want to let others connect to their machines using
L2TP/IPSec, might do the same since the Incomming Connections UI does not
have pre-shared key support.
As for the RRAS filters themselves, they're fairly basic, requiring ipsec
between the local computer and the vpn server. The level of authentication
and encryption will depend on the security settings of the connection. eg,
if you check the option in the connection for encryption, this will map to
needing ESP with encryption.
Now, why exactly do you want to use l2tp without any ipsec protection rather
than just going with PPTP which would probably be a more secure
configuration?
-- David Microsoft Windows Networking This posting is provided "AS IS" with no warranties, and confers no rights. "Senthil Kumar B" <anonymous@discussions.microsoft.com> wrote in message news:06ee01c49582$49181a60$a401280a@phx.gbl... > Thanks for the quick response. Does it mean that the user > has to reboot the machine (as ProhibitIpSec activation > requires a reboot)when he adds the first IPSec policy of > his own.? Does it also mean that the corporate Admins > enable ProhibitIpSec by default for their employee laptops? > > What is the default filter rule and filter policy > (Bypass/apply/deny)? > > Basically I am trying to avoid rebooting the machine. So > Is there any other way to avoid engaging the default IPSec > policy of RRAS ? Basically, I don't want to reboot the > machine. > > Senthil > >>-----Original Message----- >>Are you using the MS L2TP/IPSec vpn client? If so, > ProhibitIpsec is actually >>the way you want to go. The key isn't meant to say that > ipsec is going to be >>prohibited. Instead it means that the default ipsec > policy created by the >>RRAs engine will not be engaged (which seems to be > causing the policy >>conflict), thus allowing you to use your own ipsec policy > rather than that >>of the vpn client. >> >>-- >>David >>Microsoft Windows Networking >>This posting is provided "AS IS" with no warranties, and > confers no rights. >> >> >>"Senthil Kumar B" <anonymous@discussions.microsoft.com> > wrote in message >>news:7d4301c49559$1d6c20b0$a501280a@phx.gbl... >>> Both the server and the client have the same policies. > As >>> the IPSec Exception Policy is to premit all the > protocols, >>> to any destination from any source, i would expect L2TP > to >>> simply send the packet without any IPSec >>> header/Encryption. (Plain L2TP policy for this rule. >>> Basically I am trying to Bypass the IPSec). >>> >>> Basically the problem here is that the L2TP is not even >>> start connecting. It checks some policy in the Win2k >>> client and throwing the error message (Error 789:...). >>> Generally, one can avoid this error messge by adding >>> ProhibitIpSec parameter to HKLM>CurrentControlSet- > services- >>>>Rasman>Parameters. But I still want to use IPSec policy >>> for other things. I want the Plain L2TP only for a >>> particular source and destianation(by passs IPSec) and >>> other rules still need a differenet IPSec policy. So I >>> can't use ProhibitIpSec. >>> >>> Please let me know if there is a way to do it. >>> >>> >>>>-----Original Message----- >>>>Do the client and server have the same policy setting >>> (ANY source, ANY >>>>destination and ANY protocol to be permitted ) ? >>>>In general the policies on the client and server should >>> be mirrored. If the >>>>client policy encrypts the packets going to 1701 port, >>> then the server >>>>should have a similar policy. >>>> >>>>-- >>>>Thanks, >>>>Priya. >>>> >>>>------------------ >>>>This posting is provided "AS IS" with no warranties, and >>> confers no rights. >>>> >>>> >>>>"Senthil Kumar B" <anonymous@discussions.microsoft.com> >>> wrote in message >>>>news:73c501c494bd$7b51e170$a301280a@phx.gbl... >>>>> I want to do a plain L2TP testing by adding a IPSec >>> bypass >>>>> policy for the L2TP traffic alone. >>>>> >>>>> I have configured a new IPSec policy (ANY source, ANY >>>>> destination and ANY protocol to be permitted, so >>> basically >>>>> bypassing IPSec) for L2TP. I have restarted the IPSec >>>>> Policy Agent and tried rebooting the machine too. But >>> for >>>>> some reason, when i try to connect using L2TP client, > I >>> am >>>>> getting Error 789:. >>>>> >>>>> I hope "ProhibitIpSec" is not needed for this >>>>> configuration as it is something to do with IPSec > policy >>>>> itself. >>>> >>>> >>>>. >>>> >> >> >>. >>
- Next message: Sharoon Shetty K [MSFT]: "Re: 756 This connection is already being dialed"
- Previous message: Manjari Bonam [MSFT]: "Re: hi"
- In reply to: Senthil Kumar B: "Re: Configured IPSec Policy is not working."
- Next in thread: Senthil Kumar B: "Re: Configured IPSec Policy is not working."
- Reply: Senthil Kumar B: "Re: Configured IPSec Policy is not working."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
