Comments on: l2tp over IPSec scenario

By: tnk

tnk — Wed, 22 Dec 2010 09:34:38 +0000

Hi Maksim,
it has been long time since I wrote this article and I am fairly sure it has been working then. I think the system was win XP (SP1 or maybe SP2?). But it is entirely possible that this does not work anymore on SP3/vista/win7. As I have no longer access to the equipment to test it I have no way of updating this article if it indeed does not work… If you have any more information I would appreciate that.
TNK

By: Maksim

Maksim — Wed, 22 Dec 2010 08:18:02 +0000

Hi,
with this registry it sure will not use IPSEC for L2TP client. You can check with wireshark (it will not even start IKE – udp 500, instead it will use udp 1701).

By: tnk

tnk — Tue, 23 Mar 2010 14:27:18 +0000

Well this article has been written as a response to the people complaining that they cannot use Huawei routers as an VPN concentrator and that Huawei does not have any VPN client etc. I just used tools native to both Huawei and Windows to prove that such a configuration is possible. I believe that there is much more options of configuring and tweaking up both sides of the VPN.
As to your question – I don’t fully understand what are you talking about but the thing is that you will create new interface on the host OS so it should be possible to adjust your routing table to allow certain prefixes go through the VPN and certain through the unencrypted connection.
But as I am no windows expert (and I have no intentions being one) I cannot tell for sure – it is just common sense that as the host OS decides what will go where so adjusting it should work. Anyway if you want to build an VPN concentrator you should buy a dedicated machine that was build for that purpose (Checkpoint’s firewall with it’s own client is one example or the Juniper’s SSL solution which is great and widely used and there are others like FortiNet or even OpenVPN etc.)

By: TKL

TKL — Mon, 22 Mar 2010 00:37:57 +0000

If it is very nice now, what was nice before? It is absurd as it gives no way of connecting clients to real network, so it requires routing which in fact disables usage for access of specific devices on a single subnet but nothing else.
In short – useless for anything else but default gateway vpn. Or am I missing anything?

By: tnk

tnk — Fri, 29 Jan 2010 16:24:04 +0000

OK so I checked with Microsoft knowledge-base and the thing is like this:
“When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or Active Directory IPSec policy.”
which is actually what we need right ?

By: tnk

tnk — Fri, 29 Jan 2010 16:18:58 +0000

Well I think you might be right about that value. It seems more logical for it to be set to 0. I dug this from some very old script of mine and probably mixed the desired and default value :) Thanks for pointing that out I’ll verify it and update the article.

By: mHuba

mHuba — Fri, 29 Jan 2010 16:06:57 +0000

Hi, this configuration dosn’t encrypt anything !!!
Tunel work without IPSec, You some switchoff this protocol on Windows ;) by set reg Prohibit Ip Sec = 1 !!!!