>>> Solutions To Problems >> Software > Problem connecting 2 ISA Servers VPN L2TP with Cisco Equipment infront (This page has been seen 800 times)
Problem connecting 2 ISA Servers VPN L2TP with Cisco Equipment infront
THIS ARTICLE
AT MICROSOFT.COM
By default, computers that run Windows XP with Service Pack 2 and that initiate IPsec-secured communications (hereafter referred to as initiators) no longer support using IPsec NAT-T to remote computers that respond to requests for IPsec-secured communication (hereafter referred to as responders) that are located behind a network address translator. This is to avoid potential security issues as discussed in the following Microsoft Knowledge Base article:
885348 (http://support.microsoft.com/kb/885348/ ) IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
For example, if your virtual private network (VPN) server that is running Microsoft Windows Server 2003 is behind a network address translator, by default, a Windows XP SP2-based VPN client cannot make a Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) connection to the VPN server.
This default behavior can also prevent computers that are running Windows XP with SP2 from making Remote Desktop connections that are protected by L2TP/IPsec or by IPsec transport mode when the destination computer is located behind a network address translator.
Because of the way that IPsec NAT-T works in Windows XP without service packs installed and in Windows XP Service Pack 1 (SP1), you may experience unexpected results when you put a server behind a network address translator and then use IPsec NAT-T. Therefore, if you require IPsec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet.
Note Regardless of these changes, computers that are running Windows 2000, Windows XP, or Windows Server 2003 support IPsec NAT-T-based connections as an initiator when located behind a network address translator. For example, an L2TP/IPsec VPN client laptop that is located on a private hotel network can initiate a connection to a VPN server that is using a public Internet address.
NAT is a widely-used technology that enables more than one computer to share a single public IP address. Network address translators map private addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) that are used on private networks to public IP addresses that are used on the Internet. For more information about putting servers behind network address translators, about how to configure network address translation mappings for servers, and about the consequences to IPsec NAT-T security associations for a specific situation, click the following article number to view the article in the Microsoft Knowledge Base: 885348 (http://support.microsoft.com/kb/885348/ ) IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
To allow an IPsec NAT-T initiator to connect to a responder that is located behind a NAT, you must create and set the AssumeUDPEncapsulationContextOnSendRule registry value on the initiator.
Note Before you configure this registry value, we recommend that you contact your network administrator or read your corporate security policy.
To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
On the Edit menu, point to New, and then click DWORD Value.
In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
Important This value name is case sensitive.
Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
In the Value data box, type one of the following values:
0 (default)
A value of 0 (zero) configures Windows XP SP2 so that it cannot initiate IPsec-secured communications with responders that are located behind network address translators.
1
A value of 1 configures Windows XP SP2 so that it can initiate IPsec-secured communications with responders that are located behind network address translators.
2
A value of 2 configures Windows XP SP2 so that it can initiate IPsec-secured communications when both the initiators and the responders are behind network address translators.
Note This is the behavior of IPsec NAT-T in Windows XP without service packs installed and in Windows XP SP1.
Click OK, and then quit Registry Editor.
Restart the computer.
After you configure AssumeUDPEncapsulationContextOnSendRule with a value of 1 or a value of 2, Windows XP SP2 can connect to a responder that is located behind a network address translator. This behavior applies to connections to a VPN server that is running Windows Server 2003.
AND YES
This article also applies to Windows 2003 Server ;) I have spend so long tried to find a solution for my problem. I had two isa servers that could connect to eachother, randomly. One Location with Isa Server had a Cisco 837 router as its gateway. Another had a Cisco 2600 Router as its gateway. Hope this article will be helpfull. I only found it because of a post i made on isaserver.org. Hope this will save you alot of trouble. ;) take care
By default, computers that run Windows XP with Service Pack 2 and that initiate IPsec-secured communications (hereafter referred to as initiators) no longer support using IPsec NAT-T to remote computers that respond to requests for IPsec-secured communication (hereafter referred to as responders) that are located behind a network address translator. This is to avoid potential security issues as discussed in the following Microsoft Knowledge Base article:
885348 (http://support.microsoft.com/kb/885348/ ) IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
For example, if your virtual private network (VPN) server that is running Microsoft Windows Server 2003 is behind a network address translator, by default, a Windows XP SP2-based VPN client cannot make a Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) connection to the VPN server.
This default behavior can also prevent computers that are running Windows XP with SP2 from making Remote Desktop connections that are protected by L2TP/IPsec or by IPsec transport mode when the destination computer is located behind a network address translator.
Because of the way that IPsec NAT-T works in Windows XP without service packs installed and in Windows XP Service Pack 1 (SP1), you may experience unexpected results when you put a server behind a network address translator and then use IPsec NAT-T. Therefore, if you require IPsec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet.
Note Regardless of these changes, computers that are running Windows 2000, Windows XP, or Windows Server 2003 support IPsec NAT-T-based connections as an initiator when located behind a network address translator. For example, an L2TP/IPsec VPN client laptop that is located on a private hotel network can initiate a connection to a VPN server that is using a public Internet address.
NAT is a widely-used technology that enables more than one computer to share a single public IP address. Network address translators map private addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) that are used on private networks to public IP addresses that are used on the Internet. For more information about putting servers behind network address translators, about how to configure network address translation mappings for servers, and about the consequences to IPsec NAT-T security associations for a specific situation, click the following article number to view the article in the Microsoft Knowledge Base: 885348 (http://support.microsoft.com/kb/885348/ ) IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
To allow an IPsec NAT-T initiator to connect to a responder that is located behind a NAT, you must create and set the AssumeUDPEncapsulationContextOnSendRule registry value on the initiator.
Note Before you configure this registry value, we recommend that you contact your network administrator or read your corporate security policy.
To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
On the Edit menu, point to New, and then click DWORD Value.
In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
Important This value name is case sensitive.
Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
In the Value data box, type one of the following values:
0 (default)
A value of 0 (zero) configures Windows XP SP2 so that it cannot initiate IPsec-secured communications with responders that are located behind network address translators.
1
A value of 1 configures Windows XP SP2 so that it can initiate IPsec-secured communications with responders that are located behind network address translators.
2
A value of 2 configures Windows XP SP2 so that it can initiate IPsec-secured communications when both the initiators and the responders are behind network address translators.
Note This is the behavior of IPsec NAT-T in Windows XP without service packs installed and in Windows XP SP1.
Click OK, and then quit Registry Editor.
Restart the computer.
After you configure AssumeUDPEncapsulationContextOnSendRule with a value of 1 or a value of 2, Windows XP SP2 can connect to a responder that is located behind a network address translator. This behavior applies to connections to a VPN server that is running Windows Server 2003.
AND YES
This article also applies to Windows 2003 Server ;) I have spend so long tried to find a solution for my problem. I had two isa servers that could connect to eachother, randomly. One Location with Isa Server had a Cisco 837 router as its gateway. Another had a Cisco 2600 Router as its gateway. Hope this article will be helpfull. I only found it because of a post i made on isaserver.org. Hope this will save you alot of trouble. ;) take care
Like
Dislike
Keywords for this article:
AssumeUDPEncapsulationContextOnSendRule || L2TP/IPSec || Cisco || ISA SERVER
Advertisement by Google
Comment:
Code Language:
Code:
Here you can paste a code example. It will then be processed by SyntaxHighlighter and formatted for easier readability.
Please remember to select the correct Code Language in the select above so the SyntaxHighlighter can highlight the code properly.
Code:
Please enter the code you see above
What is 7 + 10 =