- The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 16, 2003

Windows 2000
Windows XP
Book Reviews
Career Tools
Device Drivers
Hardware Guides
MCSE Toolkit
  Networking Basics
  Networking Books
  Network Mgmt
  Network Monitoring
  Browser Service
  OSI Model
Service Packs









IPSec Resources for Windows 2000

IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. Designed by the Internet Engineering Task Force (IETF) as the security architecture for the Internet Protocol (IP), IPSec defines IP packet formats and related infrastructure to provide end-to-end strong authentication, integrity, anti-replay, and (optionally) confidentiality for network traffic. 
Where to Start....

Description of the IPSec Policy Created for L2TP/IPSec
Microsoft Knowledge Base Article: 248750 - Windows 2000 automatically creates an IP Security Protocol (IPSec) policy for use with Layer 2 Tunneling Protocol (L2TP)/IPSec connections. This IPSec policy uses local computer certificates for mutual authentication.

IPSec Architecture
Sample Chapter 4 of IPSec © The New Security Standard for the Internet, Intranets and Virtual Private Networks (Prentice Hall, PTR) This chapter discusses the IPSec architecture in detail. This includes various components of IPSec, how they interact with each other, the protocols in the IPSec family, and the modes in which they operate. Source:

IPSec Implementation
Sample Chapter 9 of IPSec © The New Security Standard for the Internet, Intranets and Virtual Private Networks (Prentice Hall, PTR) This chapter discusses the implementation issues of IPSec. These include interaction of the various components of IPSec, interfaces that each of these components provide, and a walk through the packet processing for both inbound and outbound packets. Source:

IP Security
A look at the IPsec Protocol Suite. Source: Network Magazine. 

IP Security for Windows 2000 Server
This article provides an overview of IPSec support in Windows 2000 and the reasons why upgrading to Windows 2000 Server provides the protections of integrity, authentication, and confidentiality without having to upgrade applications or train users.

IP Security for Local Communications Systems
Discusses how IP Security works and how to implement IPSec policy in Windows 2000. This white paper is one of a series. Best Practices for Enterprise Security contains a complete list of all the articles in this series. See also the Security Entities Building Block Architecture. Source:

IPSec Overview
From CyLan, a white paper providing an introduction to IPSec and its need in networking products. It also discusses details of different features specified in the standard. Source:Cylan

Securing Windows 2000 Communications with IP Security Filters, Part One
This article is the first of a two-part series that will describe the various methods of implementing Windows 2000 IP Security filters that are integrated with IPSEC communications. The series will attempt to describe the function of the features available, how to configure them and how to troubleshoot the installations. It will conclude with recommendations of how to implement each type of IP Security configuration in different scenarios. Source:

Step-by-Step Guide to Internet Protocol Security (IPSec)
This guide focuses on the fastest way to use IPSec transport mode to secure application traffic between a client and a server. It demonstrates how to enable security using IPSec default policies between two Windows 2000-based systems that belong to a Windows 2000 domain. Source:

Traffic That Can--and Cannot--Be Secured by IPSec 
Microsoft Knowledge Base Article: 253169 - IP Security Protocol (IPSec) in Windows 2000 is designed to secure IP traffic between two computers that communicate by using their IP addresses. It uses filters defined in an IPSec policy to classify IP packets.

Using IPSec to Lock Down a Server
The Windows 2000 IPSec policy engine provides a very effective means to secure a network interface. If you have a server that isn't protected by a firewall or router with good access control lists, the procedure described here is a must for ensuring that the server remains secure. And even if one or more layers of defense protect your server, this procedure adds an effective additional layer©increasing your network's "defense in depth." Source:

Windows 2000 Server IP Security
Internet Protocol Security (IPSec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services. This site contains links to a series of articles, resources, and related Web sites about IPSec. Source:

Articles, Whitepapers, and Online Courses

Active Directory Replication over Firewalls
This Microsoft Service Providers article describes how to configure IPSec policies to protect Active Directory replication traffic when the domain controllers are separated by a firewall. Source:

Active Directory in Networks Segmented by Firewalls
This white paper describes best practices for deploying Active Directory domain controllers in segmented networks and includes detailed procedures for configuring IPSec policies to protect Active Directory traffic between domain controllers on opposite sides of a firewall and recommended practices for managing IPSec policies that are assigned to domain controllers.  Source:

Administrator's Guide to Microsoft L2TP/IPSec VPN Client
The Microsoft L2TP/IPSec VPN Client is a free Web download that allows computers running Windows 98/ME, and Windows NT© Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections with Internet Protocol Security (IPSec). This article provides an overview of L2TP/IPSec VPN connections and includes instructions about how to deploy and troubleshoot Microsoft L2TP/IPSec VPN Client.

Assigning IPSec Policy
Provides information about creating and modifying IPSec policy for both local computers and domains with the IP Security Policies snap-in available in Microsoft Management Console (MMC). Source:

Client-to-Domain Controller and Domain Controller-to-Domain Controller IPSec Support
Microsoft Knowledge Base Article: 254949 - Using IP Security (IPSec) to protect traffic from a domain member to the domain controller is currently not supported in Windows 2000 because it is not possible for non-domain computers to get the initial IPSec policy from the domain controller once a domain controller (DC) requires IPSec to communicate, and because domain member computers cannot use Kerberos as the IPSec/IKE authentication method to authenticate IKE with their domain controller and with trusted domain controllers on the domain in all cases. (updated 9/19/2000)

Configuring IPSec to Handle Trusted and Untrusted Domain Authentication
Microsoft Knowledge Base Article: 248694 - Computers that need to use IP Security Protocol (IPSec) for secure communications must authenticate themselves before establishing an IPSec session. If the computers are part of a Windows 2000-based domain, you can use Kerberos authentication, which is the default authentication protocol.

Customizing IPSec
A four part article by Brien Posey explaining how to customize the IP Sec protocol. Source:

Disabling IPSEC Policy Used with L2TP
Microsoft Knowledge Base Article: 258261 - The RemoteAccess and PolicyAgent services create a policy that is used for L2TP traffic because L2TP does not provide encryption. Under some conditions, it may be useful to disable this policy.

Download details: ipsecpol.exe: IPSEC Policy Configuration Tool
This tool is used to configure IP Security policies in the Directory Service or in a local or remote registry. It does everything that the IP Security MMC snap-in does and is even modeled after the snap-in.
Source: Microsoft Technet

HOW TO: Clear Existing IPSec Security Associations in Windows 2000 
Microsoft Knowledge Base Article: 313236 - When you troubleshoot Internet Protocol security (IPSec) configuration problems, you may have to clear existing security associations. For example, you may have to clear existing IPSec security associations in any of the following situation 

How to Configure Cisco IOS for L2TP/IPSec in Windows 2000
Microsoft Knowledge Base Article: 249067 - This article explains two changes you need to make to Cisco Internetwork Operating System (IOS) (in addition of the standard L2TP/IPSec configuration on the Cisco router) to be able to establish an L2TP session with a Windows 2000 host computer 

How to Configure IPSec Tunneling in Windows 2000
Microsoft Knowledge Base Article: 252735 - You can use IP Security (IPSec) in tunnel mode to encapsulate Internet Protocol (IP) packets and optionally encrypt them. The primary reason for using IPSec tunnel mode (sometimes referred to as "pure IPSec tunnel") in Windows 2000 is for interoperability withy 3rd party routers or Gateways that do not support Layer 2 Tunneling Protocol or PPTP..

How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication
Microsoft Knowledge Base Article: 240262 - Windows 2000 automatically creates an Internet Protocol Security (IPSec) policy to be used with Layer 2 Tunneling Protocol (L2TP)/IPSec connections that requires a certificate for Internet Key Exchange (IKE) authentication.

HOW TO: Disable the Automatic L2TP/IPSec Policy 
Microsoft Knowledge Base Article: 310109 - This step-by-step article describes how to disable the automatic Layer Two Tunneling Protocol (L2TP)/Internet Protocol security (IPSec) policy. 

How to Enable IPSec Traffic Through a Firewall
Microsoft Knowledge Base Article: 233256 - IP Security (IPSec) is used to securely transmit data between computers. It is implemented at the Networking layer (Layer 3) of the Open Systems Interconnection (OSI) model. This provides protection for all IP and upper-layer protocols

How to Install a Certificate for Use with IP Security
Microsoft Knowledge Base Article: 253498 - When IP Security (IPSec) is configured to use a Certificate Authority (CA) for mutual authentication, you must obtain a local computer certificate. 

HOW TO: Use Internet Protocol Security to Secure Network Traffic Between Two Hosts
Microsoft Knowledge Base Article: 301284 - This article is a step-by-step instruction guide to enable advanced users to configure Internet Protocol security (IPSec) so that they can secure the communications between two host computers.

HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows 2000 
Microsoft Knowledge Base Article: 315055 - You can use Windows 2000 Terminal Services to gain access to programs in a multiple-user Terminal server environment. Communications between the Terminal Services client computer and the server that has Terminal Services enabled can contain 

IPSec Is Not Designed for Failover 
Microsoft Knowledge Base Article: 306677 - Although you can use Internet Protocol security (IPSec) with a cluster, Windows Load Balancing Service (WLBS), or Network Load Balancing (NLB) and Server Clusters (MSCS), IPSec was not designed for failover situations. (updated 132002) 

Ipsecmon.exe May Display Incorrect Information
Microsoft Knowledge Base Article: 256284 - When you use the IP Security Monitor (Ipsecmon.exe) tool on the Responder side of an IP Security Protocol (IPSec) connection to view information about a security association (SA), the Main-mode SA information that is displayed may be incorrect.

Using the IP Security Monitor Tool to View IPSec Communications
Microsoft Knowledge Base Article: 231587 - Administrators can use the IP Security Monitor tool to confirm whether IP Security (IPSec) communications are successfully secured. The tool can show how many packets have been sent over the Authentication Header (AH) or Encapsulating Security.

Windows 2000 L2TP/IPSec Interoperation with Third-Party Manufacturers
Microsoft Knowledge Base Article: 254442 - Windows 2000 is compliant with Request for Comments (RFC) 2661 ("Layer Two Tunneling Protocol"). RFC 2661 indicates that Layer 2 Tunneling Protocol (L2TP) traffic can be secured with IP Security Protocol (IPSec), but does not provide detailed

Working With IPSec Policies
IPSec is slower than a normal IP packet because of the larger packet size and the overhead required for encryption and decryption. The larger packet size also means that IPSec can consume more network bandwidth than traditional IP packets. Fortunately, using IPSec isn©t an all or nothing situation. There are ways for telling Windows which communications need to be performed through IPSec and which communications can be sent through traditional packets. Such rules can be established through the use of IPSec policies. This article will introduce you to the concept of IPSec policies, and explain how to implement various types of IPSec policies in your organization. Source:


Basic IPSec Troubleshooting in Windows 2000
Microsoft Knowledge Base Article: 257225 - Provides guidelines to troubleshoot Internet Protocol Security (IPSec) connection problems in Microsoft Windows 2000. Please refer to the documents listed in the "More Information" section for additional information 

Troubleshooting IP Security Problems
Microsoft has included a new service called IP Security with Windows 2000 that offers machine-based authentication. But before you use the service, you should know how to troubleshoot IPSec to ensure that it's working properly in your environment. Source: Windows & .NET Magazine

Basic L2TP/IPSec Troubleshooting in Windows 2000
Microsoft Knowledge Base Article: 259335 - Provides information that helps troubleshoot Layer-Two Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec) in Microsoft Windows 2000.

Connectivity to IPSec Clients May Be Lost When You Enable Packet Filters on Server
Microsoft Knowledge Base Article: 257949 - After you enable packet filters on the server, connectivity to IP Security (IPSec) clients may be lost.

Excess Padding May Cause IPSec ESP Packet Loss with Third-Party Implementations 
Microsoft Knowledge Base Article: 276360 - After you successfully establish an IP Security Protocol (IPSec) Encapsulating Security Protocol (ESP) security association (either a transport or tunnel) between a computer that is running Windows 2000 Service Pack 1 (SP1) and a third-party IPSec implementation, certain packet sizes may be dropped upon being received on the Windows 2000 SP1-based computer. Other ESP traffic for the same IPSec security association is received normally. If you uninstall SP1, the problem does not occur; all IPSec ESP traffic flows correctly. The problem does not occur when you use IPSec ESP to secure traffic between Windows 2000 (the original retail release) and Windows 2000 SP1 (see the "Cause" section); it occurs only with some third-party implementations of IPSec.

IPSec Does Not Secure Kerberos Traffic Between Domain Controllers
Microsoft Knowledge Base Article: 254728 - The IP Security Protocol (IPSec) does not secure Kerberos or RSVP traffic between Windows 2000 domain controllers, even when the IPSec policy filter is configured to match all IP traffic between the two IP addresses.

IPSec and IP-to-IP Tunnels Do Not Work with Routing Protocols Such as RIP and OSPF
Microsoft Knowledge Base Article: 227523 - Routing protocols such as Routing Information Protocol (RIP), RIP version 2, and Open Shortest Path First (OSPF) cannot be used with IP Security (IPSec) or IP-to-IP tunnels.

IPSec Offload Statistics Are Not Available
Microsoft Knowledge Base Article: 255857 - The netdiag command does not display the IP Security Protocol (IPSec) offload statistics for a network adapter that has IPSec offload capabilities. 

The Ipsecpol.exe Tool May Run Slowly
Microsoft Knowledge Base Article: 275187 - The Microsoft Windows 2000 Resource Kit Ipsecpol.exe tool may run very slowly. This issue can occur when you are creating many IP Security (IPSec) objects (roughly 1,000).

IP Security Over ATM Does Not Work with HTTP and FTP in Windows 2000 
Microsoft Knowledge Base Article: 313262 -
When you are using IP Security with an ATM adapter, HTTP and FTP may not work. For example, FTP may return extended ASCII characters. This is not specific to ATM LANE, but to any driver or Intermediate Miniport (IM) driver that uses NDIS_MAC_OPTION_COPY_LOOKAHEAD_DATA

Unable to Configure IP Security Using the Unattend.exe Utility 
Microsoft Knowledge Base Article: 227339 - When you automate the installation of Windows 2000 using the unattended installation method, you are unable to configure the Transport Control Protocol/Internet Protocol (TCP/IP) Internet Protocol security (IPSec) settings

Your Computer May Log Several Security Parameters Index Events Upon Restart
Microsoft Knowledge Base Article: 257746 - After you shut down and then restart a Windows 2000-based computer that has IP Security Protocol (IPSec) security association (SA) connections established with other computers, you may see several Security Parameters Index (SPI) events listed in the System log of your Windows 2000-based computer.

PowerConnect 468x60

Entire contents
© 1999-2003 and TechTarget
All rights reserved

This site and its contents are Copyright 1999-2003 by Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with The products referenced in this site are provided by parties other than makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.