Re: L2TP/IPSec VPN Configuration

From: Jon-Alfred Smith <jonsmi@xxxxxxxxxxxxxxxx>
Date: Tue, 05 Feb 2008 22:13:57 +0100

On Tue, 5 Feb 2008 07:31:15 -0800, "Charlie Russel - MVP"
<charlie@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

It is possible, but extremely fussy. If you do everything exactly right it
works, but one misstep and it doesn't.

This is covered extensively in chapter 15 of our SBS R2 book, but the basic
steps are:

[SNIP]

There are thirteen pages on this in chapter 15. And another batch in chapter
16 if you're using ISA 2k4. It's not trivial, but is possible if you follow
the steps exactly. Unfortunately, all the steps are actually required.

Charlie Russel
Author: Microsoft Windows Small Business Server 2003 R2 Administrator's
Companion (MS Press)
http://www.amazon.com/Microsoft-Business-Administrators-Companion-Pro-Administrators/dp/0735622809/ref=sr_11_1/104-0475887-4767969?ie=UTF8

The book details all steps in an excellent way. However, I still
wonder about IPSec from a client behind a NAT to a server behind a
different NAT.

MS has at least two KB articles on this subject, and MS says: IPSec
NAT-T is not recommended for Windows Server 2003 computers that are
behind network address translators
http://support.microsoft.com/kb/885348

The default behavior of IPSec NAT traversal (NAT-T) is changed in
Windows XP Service Pack 2
http://support.microsoft.com/kb/885407/

It should not be too uncommon that clients and SBS servers are located
behind different NATs. Does this really mean that best practice is to
use PPTP / MPPE instead?

jas
.

Follow-Ups:
- Re: L2TP/IPSec VPN Configuration
  - From: Charlie Russel - MVP
- Re: L2TP/IPSec VPN Configuration - Charlie reply please!
  - From: Al

References:
- L2TP/IPSec VPN Configuration
  - From: Al
- Re: L2TP/IPSec VPN Configuration
  - From: Charlie Russel - MVP

Prev by Date: Re: Exchange SBS 2003 R2 Exchange SP2 Upgrade
Next by Date: Re: Security Question - Totally Stumped
Previous by thread: Re: L2TP/IPSec VPN Configuration
Next by thread: Re: L2TP/IPSec VPN Configuration - Charlie reply please!
Index(es):
- Date
- Thread

Relevant Pages

Re: L2TP/IPSec Verbindung läuft mit XP SP2 nicht mehr
... In XPSP2 the IPsec driver needs a registry setting when either the ... server or workstation are behind a NAT gateway. ... 1- Client initiates to a server that is behind the NAT ... > Peer Private Addr ...
(microsoft.public.de.german.windowsxp.networking)
Re: Setting up IPSec
... IPsec and NAT ... ... > and a remote server in an Unix-only network (this ... the server send its first encrypted IKE ...
(microsoft.public.windowsxp.security_admin)
Re: IPsec VPN connection from Win XP SP2
... supported scenario to have a nat in front of the ras server. ... If I'm not mistaken IPSec doesn't work over ... > could create a Site-to-Site VPN between them, ...
(microsoft.public.windows.server.networking)
Re: IPSEC from behind dumb NAT. How?
... > I've read from mulitple places that ESP IPSEC from behind NAT is ... > No NAT on destination server. ...
(microsoft.public.win2000.security)
Re: stop ports!
... You can create an IPSec policy to filter all inbound/outbound traffic on a ... IPSec is a huge topic, ... Windows Server 2003 IPSec filtering ... > Do you know how can I stop the ports with outbound traffic under windows> server 2003? ...
(microsoft.public.win2000.security)