Hit reply too soon, I meant to add that tunnel configuration is detailed in KB article #Q252735. Since I'm posting, I'll add the following text that I keep mailing individually to people. I apologize to the rest of you who already know this.
More detail on IPSec in Windows 2000 is available in:
http://support.microsoft.com/support/kb/articles/Q265/1/12.ASP
PLEASE NOTE: Windows 2000's VPN client ONLY supports PPTP and L2TP/IPSec for client VPN remote access. The L2TP/IPSec VPN client requires by default a machine certificate. While there is a registry key to disable the automatic IPSec policy that L2TP uses, we do not support this method of configuring a _client_ for VPN remote access. The KB article that provides documentation for this registry key explains this. There are many potential security risks & interoperability issues in operationally using static filters and a preshared authentication key to establish IPSec to the L2TP gateway - so we only support the integrated mode of operation. Likewise, using IPSec tunnels on Win2k laptops for remote access would not be supported (by the Win2k IPSec implementation) to other vendors. This is documented in the VPN whitepapers:
http://www.microsoft.com/windows2000/library/howitworks/communications/remoteaccess/default.asp
You can save yourself a lot of trouble by using certificates for the L2TP/IPSec client. General IPSec transport and tunnel configurations (where you configure IPSec policy manually) can use any of 3 authentication methods. Most major CA vendors have web pages and other enrollment methods for you to get a certificate into the machine store on the win2k client. If you want to test win2k L2TP/IPSec with certificates, use the procedure in my walkthrough document below which provides links to the publicly available Microsoft test CAs. For gateways you can do cut & paste of PKCS#10 & #7, and they support SCEP, provided in the Windows 2000 Resource Kit.
The IPSec tunnel mode in win2k is negotiated using IKE RFC 2409's tunneling capability - which does not provide address assignment necessary for remote access applications. As most IPSec vendors know, but most casual observers on the list don't, many vendors have made proprietary and/or non-RFC extensions to IKE to make it useful for IPSec tunneling in remote access scenarios. This involves support for the drafts commonly referred to as IKECFG (mode config) and XAUTH. Win2k's IKE does not support these extensions.
For those vendors which do not provide L2TP/IPSec gateway functionality, and thus do not work with the native Windows 2000 L2TP/IPSec client, they provide their own IPSec-based remote access client. In most cases you need to get a version of the client that works on Windows 2000.
However, when win2k end systems and Win2k gateways have static IP addresses - they could be configured (by network admins who understand IPSec, not end-users) to use IPSec tunneling to another IPSec gateway. This should interoperate in at least simple configurations with most other gateways. A number of demonstrations over the last year have shown this interoperability.
Please send me private email if you need clarification. But please do not ask if win2k interoperates with vendor xxx doing yyy. There are over 200,000 combinations of IPSec/IKE configurations between two peers. We use KB articles to document known cases where special configuration is required to work with another vendor. The KB article Q265112 contains the news groups which provide user support for configuration if you are unable to reach a technical support engineer. If you have successfully configured two different products to work together, then I'd be happy to receive the configuration steps to assist our support engineers.
(and yes, I configured outlook to do plain text, but apparently some extra formatting is present. I apologize if this causes your reader problems.)
Wm
William Dixon
Program Manager - Network Security
Windows Operating Systems Division
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
Email: WDixon@microsoft.com (preferred), Work: 425-703-8729
Feb '00 Windows 2000 IPSec end-to-end walkthrough & mini-whitepaper (which covers IKE's use of certificates): http://www.microsoft.com/windows2000/library/technologies/security/default.asp
-----Original Message-----
From: William Dixon
Sent: Wednesday, September 27, 2000 1:30 PM
To: 'Michael Milbach'; ipsec@lists.tislabs.com
Subject: RE: ipsec and win2k
See http://support.microsoft.com KB article
-----Original Message-----
From: Michael Milbach [mailto:mmilbach@mentortech.com]
Sent: Thursday, September 21, 2000 12:55 PM
To: ipsec@lists.tislabs.com
Subject: ipsec and win2k
Can anyone please point me to some documentation on IPsec Tunneling between
to win2k boxes. I already have been through M$'s support, and have some
information, but the one Tunneling example given is for one unique
circumstance with little explanation. Any direction would be appreciated.
TIA
Michael
*******************
Michael Milbach
Mentor Technologies Group
Cell: 240-460-0073
Office: 301-680-3562
*******************
Mentor Technologies Group:
We're high tech, high touch, high performance; the total learning solutions
company.