Re: IPSEC from behind dumb NAT. How?

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 10/29/02

• Next message: Karl Levinson [x y] mvp: "Re: How to open and close ports"
• Previous message: Aaron: "Incorrect key when certificate imported"
• In reply to: Alexander Tarasul: "IPSEC from behind dumb NAT. How?"
• Next in thread: at: "Re: IPSEC from behind dumb NAT. How?"
• Reply: at: "Re: IPSEC from behind dumb NAT. How?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 29 Oct 2002 12:35:38 -0500

"Alexander Tarasul" <tarasul@hotmail.com> wrote in message
news:cb179245.0210290751.21c3d220@posting.google.com...
> I've read from mulitple places that ESP IPSEC from behind NAT is
> possible.
> Here is my scenario.
> I have Win2K server behind generic SOHO NAT/DHCP (for simplicity
> public address is 171.1.2.3, internal DHCP address is 192.168.0.5) and
> another Win2K server on the internet (say 172.3.2.1). NAT doing port
> translations.
> No NAT on destination server. No RAS server installed. I want to
> secure channel between them using IPSEC ESP (to authenticate and
> encrypt payload adding one more layer to layered security).
>
> I've actually got main mode established, but when destination host
> going into Quick Mode it's failing.
> The addresses configured in IPSEC are 171.1.2.3 and 172.3.2.1.
> In failure message written into EventLog I see that 192.168.0.5 is not
> configured.
> This mean for me that ESP still verify addresses.
> What am I doing wrong?
> Any step by step guide how to do this?

First, if you're using Windows 2000 as a router, I would probably advise
using a real router... even a $70 Linksys NAT device will do "IPsec
Passthrough" to allow IPsec VPN.

As you may already know, if you're also using AH in addition to ESP, this
will cause a problem.

This is about the extent of my knowledge on the subject, I hope it is
helpful. I'm not sure there is a way to get Win2000 IPsec to work with
Win2000 NAT. Further information can be found by searching
www.microsoft.com/support for "ipsec NAT"

---

• Next message: Karl Levinson [x y] mvp: "Re: How to open and close ports"
• Previous message: Aaron: "Incorrect key when certificate imported"
• In reply to: Alexander Tarasul: "IPSEC from behind dumb NAT. How?"
• Next in thread: at: "Re: IPSEC from behind dumb NAT. How?"
• Reply: at: "Re: IPSEC from behind dumb NAT. How?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: L2TP/IPSec Verbindung läuft mit XP SP2 nicht mehr ... In XPSP2 the IPsec driver needs a registry setting when either the ... server or workstation are behind a NAT gateway. ... 1- Client initiates to a server that is behind the NAT ... > Peer Private Addr ... (microsoft.public.de.german.windowsxp.networking) Re: IPSEC from behind dumb NAT. How? ... IPsec VPN to not work if your NAT router does not support IPsec passthrough. ... I believe ESP also gives you the option of authenticating ... (microsoft.public.win2000.security) Re: Setting up IPSec ... IPsec and NAT ... ... > and a remote server in an Unix-only network (this ... the server send its first encrypted IKE ... (microsoft.public.windowsxp.security_admin) Re: IPsec VPN connection from Win XP SP2 ... supported scenario to have a nat in front of the ras server. ... If I'm not mistaken IPSec doesn't work over ... > could create a Site-to-Site VPN between them, ... (microsoft.public.windows.server.networking) Re: IPSEC from behind dumb NAT. How? ... I'm not expecting any "help" from the router. ... Verification of source address will be done by IP filter list part of IPSEC ... >> I've read from mulitple places that ESP IPSEC from behind NAT is ... >> No NAT on destination server. ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)