Re: Configured IPSec Policy is not working.
From: Senthil Kumar B (anonymous_at_discussions.microsoft.com)
Date: 09/09/04
- Next message: Senthil Kumar B: "L2TP standard port change feature gives some problem in Win2k server"
- Previous message: Spider: "Re: 756 This connection is already being dialed"
- In reply to: David Beder [MSFT]: "Re: Configured IPSec Policy is not working."
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 9 Sep 2004 05:46:44 -0700
I am doing some testing and don't want to handle PPTP (as
i need to handle the GRE packets in the raw socket...)
So I am looking for a plain l2tp without IPSec for this
case alone.
thanks for your help.
Senthil
>-----Original Message-----
>RRAS creates it's filters fairly dynamically, so as long
as you don't have
>an active l2tp/ipsec connection up, you shouldn't need
any rebooting.
>
>Generally the reason corporate admins are deploying vpn
connections with the
>ProhibitIPSec key set is that they're currently working
on a certificate/pki
>deployment but aren't quite there yet and need to use a
pre-shared key for
>the moment-- an option which I don't think was available
in the win2k ras
>UI. Alternately they might have IPSec enabled NAS devices
that don't have
>pki support, but this is getting rarer as vpn technology
matures.
>Similarly users who want to let others connect to their
machines using
>L2TP/IPSec, might do the same since the Incomming
Connections UI does not
>have pre-shared key support.
>
>As for the RRAS filters themselves, they're fairly basic,
requiring ipsec
>between the local computer and the vpn server. The level
of authentication
>and encryption will depend on the security settings of
the connection. eg,
>if you check the option in the connection for encryption,
this will map to
>needing ESP with encryption.
>
>Now, why exactly do you want to use l2tp without any
ipsec protection rather
>than just going with PPTP which would probably be a more
secure
>configuration?
>
>--
>David
>Microsoft Windows Networking
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>"Senthil Kumar B" <anonymous@discussions.microsoft.com>
wrote in message
>news:06ee01c49582$49181a60$a401280a@phx.gbl...
>> Thanks for the quick response. Does it mean that the
user
>> has to reboot the machine (as ProhibitIpSec activation
>> requires a reboot)when he adds the first IPSec policy of
>> his own.? Does it also mean that the corporate Admins
>> enable ProhibitIpSec by default for their employee
laptops?
>>
>> What is the default filter rule and filter policy
>> (Bypass/apply/deny)?
>>
>> Basically I am trying to avoid rebooting the machine. So
>> Is there any other way to avoid engaging the default
IPSec
>> policy of RRAS ? Basically, I don't want to reboot the
>> machine.
>>
>> Senthil
>>
>>>-----Original Message-----
>>>Are you using the MS L2TP/IPSec vpn client? If so,
>> ProhibitIpsec is actually
>>>the way you want to go. The key isn't meant to say that
>> ipsec is going to be
>>>prohibited. Instead it means that the default ipsec
>> policy created by the
>>>RRAs engine will not be engaged (which seems to be
>> causing the policy
>>>conflict), thus allowing you to use your own ipsec
policy
>> rather than that
>>>of the vpn client.
>>>
>>>--
>>>David
>>>Microsoft Windows Networking
>>>This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>>>
>>>
>>>"Senthil Kumar B" <anonymous@discussions.microsoft.com>
>> wrote in message
>>>news:7d4301c49559$1d6c20b0$a501280a@phx.gbl...
>>>> Both the server and the client have the same policies.
>> As
>>>> the IPSec Exception Policy is to premit all the
>> protocols,
>>>> to any destination from any source, i would expect
L2TP
>> to
>>>> simply send the packet without any IPSec
>>>> header/Encryption. (Plain L2TP policy for this rule.
>>>> Basically I am trying to Bypass the IPSec).
>>>>
>>>> Basically the problem here is that the L2TP is not
even
>>>> start connecting. It checks some policy in the Win2k
>>>> client and throwing the error message (Error 789:...).
>>>> Generally, one can avoid this error messge by adding
>>>> ProhibitIpSec parameter to HKLM>CurrentControlSet-
>> services-
>>>>>Rasman>Parameters. But I still want to use IPSec
policy
>>>> for other things. I want the Plain L2TP only for a
>>>> particular source and destianation(by passs IPSec) and
>>>> other rules still need a differenet IPSec policy. So I
>>>> can't use ProhibitIpSec.
>>>>
>>>> Please let me know if there is a way to do it.
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>Do the client and server have the same policy setting
>>>> (ANY source, ANY
>>>>>destination and ANY protocol to be permitted ) ?
>>>>>In general the policies on the client and server
should
>>>> be mirrored. If the
>>>>>client policy encrypts the packets going to 1701 port,
>>>> then the server
>>>>>should have a similar policy.
>>>>>
>>>>>--
>>>>>Thanks,
>>>>>Priya.
>>>>>
>>>>>------------------
>>>>>This posting is provided "AS IS" with no warranties,
and
>>>> confers no rights.
>>>>>
>>>>>
>>>>>"Senthil Kumar B"
<anonymous@discussions.microsoft.com>
>>>> wrote in message
>>>>>news:73c501c494bd$7b51e170$a301280a@phx.gbl...
>>>>>> I want to do a plain L2TP testing by adding a IPSec
>>>> bypass
>>>>>> policy for the L2TP traffic alone.
>>>>>>
>>>>>> I have configured a new IPSec policy (ANY source,
ANY
>>>>>> destination and ANY protocol to be permitted, so
>>>> basically
>>>>>> bypassing IPSec) for L2TP. I have restarted the
IPSec
>>>>>> Policy Agent and tried rebooting the machine too.
But
>>>> for
>>>>>> some reason, when i try to connect using L2TP
client,
>> I
>>>> am
>>>>>> getting Error 789:.
>>>>>>
>>>>>> I hope "ProhibitIpSec" is not needed for this
>>>>>> configuration as it is something to do with IPSec
>> policy
>>>>>> itself.
>>>>>
>>>>>
>>>>>.
>>>>>
>>>
>>>
>>>.
>>>
>
>
>.
>
- Next message: Senthil Kumar B: "L2TP standard port change feature gives some problem in Win2k server"
- Previous message: Spider: "Re: 756 This connection is already being dialed"
- In reply to: David Beder [MSFT]: "Re: Configured IPSec Policy is not working."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
