L2TP Over a NAT/VPN Device

By default, Windows XP SP2 no longer supports IPsec NAT-T security associations to servers that are located behind a network address translator. Therefore, if your virtual private network (VPN) server is behind a network address translator, by default, a Windows XP SP2-based VPN client cannot make a L2TP/IPsec connection to the VPN server. This scenario includes a VPN server that is running Microsoft Windows Server 2003.

This default behavior can also prevent computers that are running Windows XP SP2 from making Remote Desktop connections with L2TP/IPsec when the destination computer is located behind a network address translator.

Because of the way that network address translators translate network traffic, you may experience unexpected results when you put a server behind a network address translator and then use IPsec NAT-T. Therefore, if you require IPsec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet.

To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec

3. On the Edit menu, point to New, and then click DWORD Value.

4. In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.

5. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.

6. In the Value Data box, type one of the following values:

  • 0 (default)
    A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind network address translators.
  • 1
    A value of 1 configures Windows so that it can establish security associations with servers that are located behind network address translators.
  • 2
    A value of 2 configures Windows so that it can establish security associations when both the server and the Windows XP SP2-based client computer are behind network address translators.

7. Click OK, and then quit Registry Editor.

8. Restart the computer.

This entry was posted on Friday, June 10th, 2011 at 5:49 amand is filed under . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply