Re: L2TP/IPSec VPN Configuration - Charlie reply please!

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Jon - hopefully Charlie can give input on that as I would assume that most
SBS's would be behind a NAT router, although I have set mine to forward the
appropriate protocols/ports. Having read the sections in Charlie's book
(have to confess I use it as a reference bible for SBS as I am not a
techie), it seems that although complicated the L2TP/IPSec vpn is far more
secure than PPTP & if I am right (?) it is not just the encryption but
rather than there is a certificate given to the legitimate client pc's
thereby making it more difficult for hackers?, so hopefully it does still
work!
Charlie - input please



"Jon-Alfred Smith" <jonsmi@xxxxxxxxxxxxxxxx> wrote in message
news:pojhq3p9hbmrdtcs4hl517i8o7atkdv2d1@xxxxxxxxxx
On Tue, 5 Feb 2008 07:31:15 -0800, "Charlie Russel - MVP"
<charlie@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

It is possible, but extremely fussy. If you do everything exactly right it
works, but one misstep and it doesn't.

This is covered extensively in chapter 15 of our SBS R2 book, but the
basic
steps are:

[SNIP]

There are thirteen pages on this in chapter 15. And another batch in
chapter
16 if you're using ISA 2k4. It's not trivial, but is possible if you
follow
the steps exactly. Unfortunately, all the steps are actually required.

Charlie Russel
Author: Microsoft Windows Small Business Server 2003 R2 Administrator's
Companion (MS Press)
http://www.amazon.com/Microsoft-Business-Administrators-Companion-Pro-Administrators/dp/0735622809/ref=sr_11_1/104-0475887-4767969?ie=UTF8

The book details all steps in an excellent way. However, I still
wonder about IPSec from a client behind a NAT to a server behind a
different NAT.

MS has at least two KB articles on this subject, and MS says: IPSec
NAT-T is not recommended for Windows Server 2003 computers that are
behind network address translators
http://support.microsoft.com/kb/885348

The default behavior of IPSec NAT traversal (NAT-T) is changed in
Windows XP Service Pack 2
http://support.microsoft.com/kb/885407/

It should not be too uncommon that clients and SBS servers are located
behind different NATs. Does this really mean that best practice is to
use PPTP / MPPE instead?

jas


.

Relevant Pages

  • Re: L2TP/IPSec Verbindung läuft mit XP SP2 nicht mehr
    ... In XPSP2 the IPsec driver needs a registry setting when either the ... server or workstation are behind a NAT gateway. ... 1- Client initiates to a server that is behind the NAT ... > Peer Private Addr ...
    (microsoft.public.de.german.windowsxp.networking)
  • Re: Setting up IPSec
    ... IPsec and NAT ... ... > and a remote server in an Unix-only network (this ... the server send its first encrypted IKE ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IPsec VPN connection from Win XP SP2
    ... supported scenario to have a nat in front of the ras server. ... If I'm not mistaken IPSec doesn't work over ... > could create a Site-to-Site VPN between them, ...
    (microsoft.public.windows.server.networking)
  • Re: L2TP/IPSec VPN Configuration
    ... different NAT. ... MS has at least two KB articles on this subject, and MS says: IPSec ... NAT-T is not recommended for Windows Server 2003 computers that are ...
    (microsoft.public.windows.server.sbs)
  • Re: IPSEC from behind dumb NAT. How?
    ... > I've read from mulitple places that ESP IPSEC from behind NAT is ... > No NAT on destination server. ...
    (microsoft.public.win2000.security)