Article ID: 885348 - View products that this article applies to.
We do not recommend Internet Protocol security (IPSec) network address translation (NAT) traversal (NAT-T) for Windows deployments that include VPN servers and that are located behind network address translators. When a server is behind a network address translator, and the server uses IPSec NAT-T, unintended side effects may occur because of the way that network address translators translate network traffic.
Additionally, the default behavior of Microsoft Windows XP has changed with Service Pack 2 (SP2). IPSec NAT-T security associations to servers that are located behind network address translators are not recommended for Windows XP SP2-based computers. This change means that a Microsoft Windows Server 2003-based virtual private network (VPN) server that uses Layer Two Tunneling Protocol with IPSec (L2TP/IPSec) cannot be deployed behind a network address translator without additional configuration for Windows XP SP2-based VPN clients.
If you require IPSec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet. Windows-based client computers that support IPSec NAT-T can be located behind a network address translator.
NAT is a widely used technology that enables more than one computer to share a single public IP address. Network address translators map private addresses that are used on the following private networks to public IP addresses that are used on the Internet:
10.0.0.0/8If you put a server behind a network address translator, you may experience connection problems because clients that connect to the server over the Internet require a public IP address. To reach servers that are located behind network address translators from the Internet, static mappings must be configured on the network address translator. For example, to reach a Windows Server 2003-based computer that is behind a network address translator from the Internet, configure the network address translator with the following static network address translator mappings:
However, if you have a Windows Server 2003-based VPN server, we recommend that you assign a public IP address to the VPN server. By assigning a public IP address to the VPN server, you can avoid situations where IP traffic is either lost or accidentally forwarded to the incorrect location because of typical network address translator behavior.
Windows XP SP2 does not support establishing IPSec NAT-T security associations to servers behind NAT devicesWe have changed the default behavior of IPSec NAT-T in Windows XP Service Pack 2 (SP2). Windows XP SP2 does not support an IPSec NAT-T security association to a server that is located behind a device or component that performs network address translation. This change has been made to avoid a perceived security risk in the following situation:
The default behavior of Windows XP SP2 can be changed to enable IPSec NAT-T security associations to servers that are located behind a network address translator. We do not recommend that you change the default behavior.
For more information about Windows XP SP2 and IPSec NAT-T-based security associations, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/885407/ )The default behavior of IPSec NAT traversal (NAT-T) is changed in Windows XP Service Pack 2
Article ID: 885348 - Last Review: October 30, 2006 - Revision: 2.2