Routing and Remote Access Services encryption options for the L2TP/IPsec protocol on a Windows Server 2008-based Network Policy Server (NPS)

This article describes the Routing and Remote Access Services encryption options for the Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) on a Windows Server 2008-based Network Policy Server (NPS) and also how to configure the strongest encryption for an IPsec policy.

The following are the Routing and Remote Access Services encryption options that are available for L2TP/IPsec.

No encryption

• ESP SHA1
• ESP MD5
• AH SHA1
• AH MD5

Optional encryption

• ESP AES_128 SHA
• ESP 3_DES MD5
• ESP 3_DES SHA
• AH SHA1 with ESP AES_128 with null HMAC
• AH SHA1 with ESP 3_DES with null HMAC
• AH MD5 with ESP 3_DES with null HMAC, no lifetimes proposed
• AH SHA1 with ESP 3_DES SHA1, no lifetimes
• AH MD5 with ESP 3_DES MD5, no lifetimes
• ESP DES MD5
• ESP DES SHA1, no lifetimes
• AH SHA1 with ESP DES null HMAC, no lifetimes proposed
• AH MD5 with ESP DES null HMAC, no lifetimes proposed
• AH SHA1 with ESP DES SHA1, no lifetimes
• AH MD5 with ESP DES MD5, no lifetimes
• ESP SHA, no lifetimes
• ESP MD5, no lifetimes
• AH SHA, no lifetimes
• AH MD5, no lifetimes

Requires encryption

• ESP AES_128 SHA
• ESP 3_DES MD5
• ESP 3_DES SHA
• AH SHA1 with ESP AES_128 with null HMAC
• AH SHA1 with ESP 3_DES with null HMAC
• AH MD5 with ESP 3_DES with null HMAC, no lifetimes proposed
• AH SHA1 with ESP 3_DES SHA1, no lifetimes
• AH MD5 with ESP 3_DES MD5, no lifetimes
• ESP DES MD5
• ESP DES SHA1, no lifetimes
• AH SHA1 with ESP DES null HMAC, no lifetimes proposed
• AH MD5 with ESP DES null HMAC, no lifetimes proposed
• AH SHA1 with ESP DES SHA1, no lifetimes
• AH MD5 with ESP DES MD5, no lifetimes

Strong encryption

• ESP AES_256 SHA, no lifetimes
• ESP 3_DES MD5, no lifetimes
• ESP 3_DES SHA, no lifetimes
• AH SHA1 with ESP AES_256 with null HMAC, no lifetimes proposed
• AH SHA1 with ESP 3_DES with null HMAC, no lifetimes proposed
• AH MD5 with ESP 3_DES with null HMAC, no lifetimes proposed
• AH SHA1 with ESP 3_DES SHA1, no lifetimes
• AH MD5 with ESP 3_DES MD5, no lifetimes

Strongest encryption

• ESP AES_256 SHA, no lifetimes
• ESP 3_DES MD5, no lifetimes
• ESP 3_DES SHA, no lifetimes
• AH SHA1 with ESP AES_256 with null HMAC, no lifetimes proposed
• AH SHA1 with ESP 3_DES with null HMAC, no lifetimes proposed
• AH MD5 with ESP 3_DES with null HMAC, no lifetimes proposed
• AH SHA1 with ESP 3_DES SHA1, no lifetimes
• AH MD5 with ESP 3_DES MD5, no lifetimes

How to configure the strongest encryption for an IPsec policy

To configure the strongest encryptions for an IPsec policy, follow these steps:

1. Start the Network Policy Server (NPS) console. To do this, click Start, type Network Policy Server in the Start Search box, and then click Network Policy Server.
2. Under NPS(Local), expand Policies, click Network Policies in the left navigation pane, and then select the relevant policy in the right navigation pane.
3. Double-click the policy, and then click the Settings tab.
4. In the Settings area, click Encryption under Routing and Remote Access.
5. Click to select the Strongest encryption (MPPE 128-bit) check box.
6. Click Apply, and then click OK to apply the strongest encryption.