Registry entries that are useful in network address translation traversal (NAT-T) security associations in Windows Vista

INTRODUCTION

This article describes registry entries that are useful in network address translation traversal (NAT-T) security associations in Windows Vista.

More Information

The AssumeUDPEncapsulationContextOnSendRule registry entry

The AssumeUDPEncapsulationContextOnSendRule registry entry can be applied to the Windows Vista operating system and to earlier operating systems. In Windows Vista, the entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
In earlier operating systems, the entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
If you update the operating system from Windows XP Service Pack 2 (SP2) to Windows Vista, the value of this registry entry and the default behavior do not change. Therefore, you do not have to reset the registry configuration to support servers that are hosted behind network address translation (NAT) devices.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To modify the AssumeUDPEncapsulationContextOnSendRule registry entry, follow these steps:
  1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
  2. Click Start, type regedit in the Start Search box, and then press ENTER.

    Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  3. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
  4. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  5. In the Value Data box, type one of the following values:
    • 0

      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1

      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2

      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
  6. Click OK, and then exit Registry Editor.
  7. Restart the computer.

The IPsecThroughNAT registry entry

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To modify this registry entry, follow these steps:
  1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
  2. Click Start, type regedit in the Start Search box, and then press ENTER.

    Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  3. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
  4. Right-click IPsecThroughNAT, and then click Modify.
  5. In the Value Data box, type one of the following values:
    • 0

      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1

      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2

      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008 VPN client computer are behind NAT devices.
  6. Click OK, and then exit Registry Editor.
  7. Restart the computer.
Also, you can run the following commands at a command prompt to modify this registry entry:
  • To set the value to 0, run the following command:
    netsh advfirewall set global ipsec ipsecthroughnat nerver
  • To set the value to 1, run the following command:
    netsh advfirewall set global ipsec ipsecthroughnat serverbehindnat
  • To set the value to 2, run the following command:
    netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat

References

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000

885348 IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators

926179 How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista and in Windows Server 2008

Özellikler

Makale No: 947234 - Son İnceleme: 18 Ağu 2009 - Düzeltme: 1

Geri bildirim