|
Problem: VPN Clients using
L2TP/IPSEC may experience issues connecting to the VPN server.
Cause: This may be the result of the VPN server being located behind a NAT
device or other firewall.
The default behaviour of L2TP/IPSEC
within Windows XP changed in SP2 to be more secure. As a result, Windows XP SP2
clients can no longer connect to a VPN server that is placed behind a NAT
device.
Workaround:
To work around the issue, a registry key can be changed on the VPN client to
restore the pre-SP2 functionality. This change requires administrator rights to
implement and also lowers the security value of L2TP/IPSEC to that similar to
PPTP.
For details on the required registry
key changes, see the following Microsoft KB article:
http://support.microsoft.com/kb/885407
Solution: To resolve the issue
without changing the client configuration, or lowering the security of L2TP/IPSEC,
remove the NAT connection between the Internet and the VPN server. To do this
either:
- Connect the external interface
of the VPN Server directly to the Internet with an Internet IP address -
only recommended when ISA Server is used.
- Change the perimeter firewall
to ROUTE instead of NAT traffic to the VPN server. The VPN server will still
require an Internet routable IP address.
More information:
L2TP/IPSEC is designed to identify both ends of the VPN tunnel, which is
typically done via Certificates or at least with a pre-shared key (less secure).
The VPN tunnel is then established between the machines based on their IP
address information. However, if the VPN server is behind a NAT device, the
server's actual IP address can not be used as part of the tunnel security as it
is a private address.
As as a result of this, NAT-T was introduced to cater for L2TP/IPSEC
connectivity over a NAT device. It is not recommended to "hide" the VPN server
behind a NAT device as the VPN client can not be sure that it is connecting to
the real VPN server. NAT-T is still very useful when the VPN client is located
behind a NAT device as it is still able to positively identify the VPN server.
For further details regarding how NAT-T functions in Windows, refer to the
following Microsoft KB article:
http://support.microsoft.com/kb/885348
|