IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
Additionally, the default behavior of Microsoft Windows XP has changed with Service Pack 2 (SP2). IPSec NAT-T security associations to servers that are located behind network address translators are not recommended for Windows XP SP2-based computers. This change means that a Microsoft Windows Server 2003-based virtual private network (VPN) server that uses Layer Two Tunneling Protocol with IPSec (L2TP/IPSec) cannot be deployed behind a network address translator without additional configuration for Windows XP SP2-based VPN clients.
If you require IPSec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet. Windows-based client computers that support IPSec NAT-T can be located behind a network address translator.
- Public IP address/UDP port 500 to the server's private IP address/UDP port 500.
- Public IP address/UDP port 4500 to the server's private IP address/UDP port 4500.
However, if you have a Windows Server 2003-based VPN server, we recommend that you assign a public IP address to the VPN server. By assigning a public IP address to the VPN server, you can avoid situations where IP traffic is either lost or accidentally forwarded to the incorrect location because of typical network address translator behavior.
Windows XP SP2 does not support establishing IPSec NAT-T security associations to servers behind NAT devicesWe have changed the default behavior of IPSec NAT-T in Windows XP Service Pack 2 (SP2). Windows XP SP2 does not support an IPSec NAT-T security association to a server that is located behind a device or component that performs network address translation. This change has been made to avoid a perceived security risk in the following situation:
- A network address translator is configured to map IKE and IPSec NAT-T traffic to a server on a NAT-configured network. (This server is Server 1.)The network address translator mappings are the ones that we recommend in this article.
- A client from outside the NAT-configured network uses IPSec NAT-T to establish bidirectional security associations with Server 1. (This client is Client 1.)
- A client on the NAT-configured network uses IPSec NAT-T to establish bidirectional security associations with Client 1.(This client is Client 2.)
- A condition occurs that causes Client 1 to reestablish the security associations with Client 2 because of the static network address translator mappings that map IKE and IPSec NAT-T traffic to Server 1. This condition may cause the IPSec security association negotiation traffic that is sent by Client 1 and that is destined for Client 2 to be misrouted to Server 1.
The default behavior of Windows XP SP2 can be changed to enable IPSec NAT-T security associations to servers that are located behind a network address translator. We do not recommend that you change the default behavior.
Article ID: 885348 - Last Review: 10/30/2006 21:31:50 - Revision: 2.2
- kbhowto kbinfo KB885348