L2TP/IPsec NAT-T update for Windows XP and Windows 2000

Summary

Microsoft has released an update package to enhance the current functionality of Layer Two Tunneling Protocol (L2TP) and Internet Protocol security (IPsec) on computers that run Microsoft Windows 2000, Microsoft Windows XP without service packs installed, and Windows XP with Service Pack 1 (SP1).This functionality is included in Windows XP Service Pack 2 (SP2). Computers that run Windows XP with a service pack do not have to install this update package.

This update includes improvements to IPsec to better support virtual private network (VPN) clients that are behind network address translation (NAT) devices. If you apply this update to a computer that is running Windows XP, and if the IPsec service encounters a runtime error and cannot start for any reason, the IPsec driver operates in block mode because it cannot secure network traffic.

Note The IPsec service appears as "IPSEC services" in the list of system services.

For more information about the latest service pack for Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Article contents

More Information

New IPsec features and Management and Monitor snap-ins

  • After you install this update, Windows 2000 and Windows XP-based L2TP/IPsec clients can create IPsec connections from behind a NAT device. The new IPsec NAT-T functionality is based on the IETF Requests for Comments (RFC) 3193 and version 2 of the original IETF IPsec NAT-T Internet drafts. Windows XP clients that have SP2 also have this enhanced connectivity option. IPsec NAT-T is currently specified in RFCs 3947 and 3948.
  • The updated IPsec Monitor snap-in can view computers that are running Windows XP, but only if the Windows XP-based computer has SP2 installed.
  • The updated IPsec Monitor snap-in can view computers that are running Microsoft Windows Server 2003. Similarly, Windows Server 2003 can monitor Windows XP-based computers that have SP2 installed.
  • Computers that are running Windows 2000 cannot be monitored with this snap-in.
  • The new IPsec Management snap-in switches to read-only mode when it encounters policy objects that contain advanced features that were created in Windows Server 2003 (for example, DH2048, Certificate Mapping, or dynamic filters). This behavior causes the snap-in objects (for example, rules, filter lists, or main mode offerings) to become uneditable if they contain references to these new settings. The IPsec Management snap-in switches to read-only mode so that it cannot accidentally remove critical advanced features.
  • The updated IPsec services on Windows XP-based computers can expose most of the new features that are provided in a Windows Server 2003 policy.

    Note Certificate Mapping is not available.
  • If an earlier version of the IPseccmd tool is installed on a Windows XP-based computer (this tool is not available in Windows 2000), an updated IPseccmd is installed in the drive:\Program Files\Support Tools folder.

    The updated IPseccmd has the following features:
    • It dynamically turns Internet Key Exchange (IKE) logging on and off.
    • It displays information about a currently assigned policy.
    • It lets you create a persistent IPsec policy.
    Note The earlier version of IPseccmd does not work on updated computers, and the updated IPseccmd does not work on computers that are not updated.
back to the top

Interoperability and known issues

IPsec NAT-T and firewall rules

Because the support for IPsec NAT-T functionality is based on IETF RFC 3193 and version 2 of the original IETF NAT-T Internet drafts, for these services to run through a firewall, you may have to open the following ports and protocols in the firewall rules:
  • Internet Key Exchange (IKE) - User Datagram Protocol (UDP) 500
  • IPsec NAT-T - UDP 4500
  • Encapsulating Security Payload (ESP) - Internet Protocol (IP) protocol 50

Supported scenarios using IPsec NAT-T

The following scenarios will successfully allow for L2TP/IPsec-based IPsec NAT-T connections. In these scenarios, Client is a client that is running Windows 2000 and that has update 818043 installed or is a Windows XP-based computer that has SP2 installed. Server is an L2TP/IPsec server that is running Windows Server 2003 and that is using Routing and Remote Access.
Client----> NAT ----Internet---->Server

The only supported and recommended scenario is when the Server is not located behind a NAT device.
The L2TP/IPsec server may also be a third-party gateway product that supports NAT-T connections.

Note If you apply update 818043 to a Windows 2000-based server that is using Routing and Remote Access, the server cannot function as an L2TP/IPsec server in this scenario. It cannot allow for connections from L2TP/IPsec clients that are behind one or more NAT devices. This update is a client-side update only. Server-side IPsec NAT-T functionality is a new feature in Windows Server 2003 Routing and Remote Access only. IPsec NAT-T server-side support will not be added to Windows 2000 Routing and Remote Access.

Diffie-Hellman Group 2048 update

For L2TP/IPsec clients to negotiate and use the Diffie-Hellman Group 2048 update, the remote access server being contacted must also support this group.

Note To use Diffie-Hellman 2048, if your computer is running Windows Server 2003, you must create a registry subkey. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click
    OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
  3. On the Edit menu, point to
    New, and then click DWORD Value.
  4. Type NegotiateDH2048, and then press ENTER.
  5. Right-click NegotiateDH2048, and then click Modify.
  6. In the Value data box, type
    1, and then click OK.
  7. On the Registry menu, click
    Exit.

Other

  • IPsec offload hardware
    IPsec offload network adaptors do not offload security associations that were created by using NATs.
  • New features are not displayed correctly
    New features that were enabled by using a Windows Server 2003 IPsec policy may not be correctly displayed in the IPsec monitor. Most notably, the DH2048 group is displayed as 268435457, and dynamic-filter names (for example, WINS or DHCP) are not displayed at all (the column is blank).
  • The IKE component of the Windows implementation of IPsec uses an extended Winsock API function whose function pointer is determined by calling WSAIoctl(). If this function call cannot pass through any installed Layered Service Provider (LSP), IPsec cannot listen on the IKE port. IPsec interprets this as a failure of the component and reacts accordingly (that is, a "Fail to a Secure Mode" message is returned). The IKE component's inability to pass through an LSP may be caused by an installed third-party program.
back to the top
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. To change the IPsec NAT-T behavior for a computer that is running Windows XP SP2, you must create the AssumeUDPEncapsulationContextOnSendRule registry value.

By default, Windows XP SP2 no longer supports IPsec NAT-T security associations to servers that are located behind a network address translator. Therefore, if your virtual private network (VPN) server is behind a network address translator, by default, a Windows XP SP2-based VPN client cannot make a L2TP/IPsec connection to the VPN server. This scenario includes a VPN server that is running Microsoft Windows Server 2003.

This default behavior can also prevent computers that are running Windows XP SP2 from making Remote Desktop connections with L2TP/IPsec when the destination computer is located behind a network address translator.

Because of the way that network address translators translate network traffic, you may experience unexpected results when you put a server behind a network address translator and then use IPsec NAT-T. Therefore, if you require IPsec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet.

To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. In the New Value #1 box, type
    AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
  5. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  6. In the Value Data box, type one of the following values:
    • 0 (default)
      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind network address translators.
    • 1
      A value of 1 configures Windows so that it can establish security associations with servers that are located behind network address translators.
    • 2
      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows XP SP2-based client computer are behind network address translators.
  7. Click OK, and then quit Registry Editor.
  8. Restart the computer.
back to the top

Windows XP service pack information

This feature is available in the latest service pack for Windows XP (SP2). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

back to the top

Windows 2000 Update

To download this update for Windows 2000, go to the following Microsoft website to use the Microsoft Update Catalog:  Search for the ID number of this article by using the Advanced Search Options feature in the Microsoft Update Catalog. To do this, follow these steps:
  1. On the Microsoft Windows Update website, click Find updates for Microsoft Windows operating systems.
  2. Click to select your operating system and language, and then click Advanced Search.

    Note You must select either Windows 2000 Professional Service Pack 3 or Windows 2000 Professional Service Pack 4. If you select a different operating system, the update is not returned in the search.
  3. In the Contains these words box, type 818043, and then click Search.
For more information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:

323166 How to download updates that include drivers and hotfixes from the Windows Update Catalog

Prerequisites

This update package is designed to be installed on computers that are running Windows 2000 with Service Pack 3 (SP3) or later versions.

Restart requirement

This update package requires that you restart your computer to enable the new IPsec features.

Update replacement information

This update does not replace any other updates.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Date Time Version Size File name
----------------------------------------------------------------
18-Sep-2000 19:01 5.0.2195.1569 33,616 Fips.sys
21-Apr-2003 15:19 5.0.2195.6738 80,848 Ipsec.sys
21-Apr-2003 15:19 5.0.2195.6738 29,456 Ipsecmon.exe
21-Apr-2003 15:21 5.0.2195.6738 390,928 Netdiag.exe
01-May-2003 21:39 5.0.2195.6738 417,552 Oakley.dll
01-May-2003 21:39 5.0.2195.6738 96,528 Polagent.dll
01-May-2003 21:39 5.0.2195.6738 137,488 Polstore.dll
01-May-2003 21:39 5.0.2195.6738 58,128 Rasman.dll
01-May-2003 21:39 5.0.2195.6738 153,360 Rasmans.dll
01-May-2003 21:39 5.0.2195.6738 54,032 Rastapi.dll
21-Apr-2003 15:19 5.0.2195.6738 80,848 Ipsec.sys (56-bit)
back to the top

References

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

314067 How to troubleshoot TCP/IP connectivity with Windows XP

257225 Basic IPsec troubleshooting in Microsoft Windows 2000 Server

816915 New file naming schema for Microsoft Windows software update packages

back to the top
Properties

Article ID: 818043 - Last Review: Jun 20, 2014 - Revision: 1

Microsoft Windows XP Professional, Microsoft Windows XP Home Edition, Microsoft Windows 2000 Professional Edition

Feedback