Re: L2TP over IPsec VPN and nat-t

From: Adam (Adam_at_discussions.microsoft.com)
Date: 11/03/04 

Date: Tue, 2 Nov 2004 18:56:02 -0800

I had seen these articles and was hopeful that this would solve the problem,
but it didn't. Below is information from Juniper networks regarding the l2tp
over ipsec VPN.

L2TP over IPSec is not supported with NAT Traversal. NAT Traversal is
supported only when Tunnel mode is used for IPSec. Standard IPSec (without
L2TP) uses tunnel mode, and that is why you can configure IPSec VPN tunnels
when a NAT device is upstream. However, L2TP over IPSec uses transport mode,
and therefore NAT traversal is not supported with L2TP over IPSec.

I guess this answers my question. I am now interested in microsoft articles
relating to creating standard IPsec VPNs. I've seen the IP security policy
snap-in but creating a policy is complex. Any links would be appreciated.

Thanks,

"Bigbruva" wrote:

> Hi Adam
>
> You need to read the information at this link
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043
>
> Also if your Windows XP clients are running SP2 you will need to read the
> following KB article:
>
> http://support.microsoft.com/kb/885407
>
> This should help you out, let us know how you get on.
>
> BB
>
> "Adam" <Adam@discussions.microsoft.com> wrote in message
> news:7EFD4EEB-4421-410B-BB16-9E41752230C5@microsoft.com...
> >I am having problems making a L2TP over IPsec VPN work when the remote
> >client
> > is behind a NAT device. The VPN uses IPsec certificates and this all works
> > good if the remote user is directly connected to the internet (i.e. the
> > machine has a public IP address assigned), but as soon as the computer is
> > behind a device and receives a private IP address, the VPN tunnel times
> > out.
> > (The IPsec creates successfully, but the L2TP connection fails...error
> > 682).
> > These remote clients are connecting a Netscreen 25 for their VPN tunnels.
> > This device supports nat-t. The L2TP connections for this device only work
> > in
> > "transport mode".
> >
> > One other thing, this process works just fine if I have the remote clients
> > connect just using an L2TP tunnel (no IPsec). Then there seems to be no
> > problem with NAT and the remote clients. I have tested this VPN setup
> > using
> > windows 2000, windows XP pro, and windows XP home edition. All three OSs
> > respond the same.
> >
> > I am wondering if there is some type of setting I need to modify in
> > windows
> > that will allow IPsec to function in "transport mode" or at least apply
> > nat-t
> > to the L2TP connection. Thanks in advance, Adam
> >
>
>
>

Relevant Pages

  • Re: L2TP over IPsec VPN and nat-t
    ... No problem Adam, check out www.microsoft.com/ipsec for a number of good ... articles on IPsec. ... >I had seen these articles and was hopeful that this would solve the ... > L2TP) uses tunnel mode, and that is why you can configure IPSec VPN ...
    (microsoft.public.security)
  • RE: IPSec = L2TP?
    ... IPSec is not L2TP, however L2TP can ride *on top* of IPSec. ... Any protocol can traverse IPSec, but it needs to be routed in order to ... different IP network to appear to be on the same network as others - and ...
    (Security-Basics)
  • RE: IPSec vs. IPSec/L2TP
    ... The reason people use L2TP is due the need to provide login mechanism ... logging and the rest of the session would be using IPSec. ... > L2TP/IPSec tunnelling instead of a good old IPSec tunnel. ... Earn your MS in Information Security ONLINE ...
    (Security-Basics)
  • Re: VPN server
    ... You have to choose either/both PPTP or L2TP (which uses IPSec) for the ... (Dial-in tab even though this is VPN) ...
    (microsoft.public.windows.server.active_directory)
  • Re: Configured IPSec Policy is not working.
    ... As for the RRAS filters themselves, they're fairly basic, requiring ipsec ... and encryption will depend on the security settings of the connection. ... why exactly do you want to use l2tp without any ipsec protection rather ... > What is the default filter rule and filter policy ...
    (microsoft.public.win2000.ras_routing)