Microsoft KB Archive/818043

= L2TP/IPsec NAT-T update for Windows XP and Windows 2000 =

Article ID: 818043

Article Last Modified on 10/26/2006

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Home Edition
 * Microsoft Windows 2000 Professional Edition

-





SUMMARY
Microsoft has released an update package to enhance the current functionality of Layer Two Tunneling Protocol (L2TP) and Internet Protocol security (IPsec) on computers that run Microsoft Windows 2000, Microsoft Windows XP without service packs installed, and Windows XP with Service Pack 1 (SP1).This functionality is included in Windows XP Service Pack 2 (SP2). Computers that run Windows XP with a service pack do not have to install this update package.

This update includes improvements to IPsec to better support virtual private network (VPN) clients that are behind network address translation (NAT) devices. If you apply this update to a computer that is running Windows XP, and if the IPsec service encounters a runtime error and cannot start for any reason, the IPsec driver operates in block mode because it cannot secure network traffic.

Note The IPsec service appears as &quot;IPSEC services&quot; in the list of system services.

For more information about the latest service pack for Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Article contents

 * New IPsec features and Management and Monitor snap-ins
 * Interoperability and known issues
 * Windows XP service pack information
 * Windows 2000 Update
 * References



New IPsec features and Management and Monitor snap-ins
 After you install this update, Windows 2000 and Windows XP-based L2TP/IPsec clients can create IPsec connections from behind a NAT device. The new IPsec NAT-T functionality is based on the IETF Requests for Comments (RFC) 3193 and version 2 of the original IETF IPsec NAT-T Internet drafts. Windows XP clients that have SP2 also have this enhanced connectivity option. IPsec NAT-T is currently specified in RFCs 3947 and 3948. The updated IPsec Monitor snap-in can view computers that are running Windows XP, but only if the Windows XP-based computer has SP2 installed. The updated IPsec Monitor snap-in can view computers that are running Microsoft Windows Server 2003. Similarly, Windows Server 2003 can monitor Windows XP-based computers that have SP2 installed. Computers that are running Windows 2000 cannot be monitored with this snap-in. The new IPsec Management snap-in switches to read-only mode when it encounters policy objects that contain advanced features that were created in Windows Server 2003 (for example, DH2048, Certificate Mapping, or dynamic filters). This behavior causes the snap-in objects (for example, rules, filter lists, or main mode offerings) to become uneditable if they contain references to these new settings. The IPsec Management snap-in switches to read-only mode so that it cannot accidentally remove critical advanced features. The updated IPsec services on Windows XP-based computers can expose most of the new features that are provided in a Windows Server 2003 policy.

Note Certificate Mapping is not available. If an earlier version of the IPseccmd tool is installed on a Windows XP-based computer (this tool is not available in Windows 2000), an updated IPseccmd is installed in the :\Program Files\Support Tools folder.

The updated IPseccmd has the following features: <ul> It dynamically turns Internet Key Exchange (IKE) logging on and off.</li> It displays information about a currently assigned policy.</li> It lets you create a persistent IPsec policy.</li></ul>

Note The earlier version of IPseccmd does not work on updated computers, and the updated IPseccmd does not work on computers that are not updated.</li></ul>

back to the top

IPsec NAT-T and firewall rules
Because the support for IPsec NAT-T functionality is based on IETF RFC 3193 and version 2 of the original IETF NAT-T Internet drafts, for these services to run through a firewall, you may have to open the following ports and protocols in the firewall rules:
 * Internet Key Exchange (IKE) - User Datagram Protocol (UDP) 500
 * IPsec NAT-T - UDP 4500
 * Encapsulating Security Payload (ESP) - Internet Protocol (IP) protocol 50

Supported scenarios using IPsec NAT-T
The following scenarios will successfully allow for L2TP/IPsec-based IPsec NAT-T connections. In these scenarios,  is a client that is running Windows 2000 and that has update 818043 installed or is a Windows XP-based computer that has SP2 installed. is an L2TP/IPsec server that is running Windows Server 2003 and that is using Routing and Remote Access.

> NAT Internet>

The only supported and recommended scenario is when the  is not located behind a NAT device.

The L2TP/IPsec server may also be a third-party gateway product that supports NAT-T connections.

Note If you apply update 818043 to a Windows 2000-based server that is using Routing and Remote Access, the server cannot function as an L2TP/IPsec server in this scenario. It cannot allow for connections from L2TP/IPsec clients that are behind one or more NAT devices. This update is a client-side update only. Server-side IPsec NAT-T functionality is a new feature in Windows Server 2003 Routing and Remote Access only. IPsec NAT-T server-side support will not be added to Windows 2000 Routing and Remote Access.

Diffie-Hellman Group 2048 update
For L2TP/IPsec clients to negotiate and use the Diffie-Hellman Group 2048 update, the remote access server being contacted must also support this group.

Note To use Diffie-Hellman 2048, if your computer is running Windows Server 2003, you must create a registry subkey. To do this, follow these steps: <ol> Click Start, click Run, type regedit, and then click OK.</li> Locate and then click the following registry subkey:

</li> On the Edit menu, point to New, and then click DWORD Value.</li> Type NegotiateDH2048, and then press ENTER.</li> Right-click NegotiateDH2048, and then click Modify.</li> In the Value data box, type 1, and then click OK.</li> On the Registry menu, click Exit.</li></ol>

Other

 * IPsec offload hardware

IPsec offload network adaptors do not offload security associations that were created by using NATs.
 * New features are not displayed correctly

New features that were enabled by using a Windows Server 2003 IPsec policy may not be correctly displayed in the IPsec monitor. Most notably, the DH2048 group is displayed as 268435457, and dynamic-filter names (for example, WINS or DHCP) are not displayed at all (the column is blank).
 * The IKE component of the Windows implementation of IPsec uses an extended Winsock API function whose function pointer is determined by calling WSAIoctl. If this function call cannot pass through any installed Layered Service Provider (LSP), IPsec cannot listen on the IKE port. IPsec interprets this as a failure of the component and reacts accordingly (that is, a &quot;Fail to a Secure Mode&quot; message is returned). The IKE component's inability to pass through an LSP may be caused by an installed third-party program.

back to the top

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. To change the IPsec NAT-T behavior for a computer that is running Windows XP SP2, you must create the AssumeUDPEncapsulationContextOnSendRule registry value.

By default, Windows XP SP2 no longer supports IPsec NAT-T security associations to servers that are located behind a network address translator. Therefore, if your virtual private network (VPN) server is behind a network address translator, by default, a Windows XP SP2-based VPN client cannot make a L2TP/IPsec connection to the VPN server. This scenario includes a VPN server that is running Microsoft Windows Server 2003.

This default behavior can also prevent computers that are running Windows XP SP2 from making Remote Desktop connections with L2TP/IPsec when the destination computer is located behind a network address translator.

Because of the way that network address translators translate network traffic, you may experience unexpected results when you put a server behind a network address translator and then use IPsec NAT-T. Therefore, if you require IPsec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet.

To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps: <ol> Click Start, click Run, type regedit, and then click OK.</li> Locate and then click the following registry subkey:

</li> On the Edit menu, point to New, and then click DWORD Value.</li> In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.</li> Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.</li> <li>In the Value Data box, type one of the following values: <ul> <li> 0 (default)

A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind network address translators.</li> <li> 1

A value of 1 configures Windows so that it can establish security associations with servers that are located behind network address translators.</li> <li> 2

A value of 2 configures Windows so that it can establish security associations when both the server and the Windows XP SP2-based client computer are behind network address translators.</li></ul> </li> <li>Click OK, and then quit Registry Editor.</li> <li>Restart the computer.</li></ol>

back to the top

Windows XP service pack information
This feature is available in the latest service pack for Windows XP (SP2). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

back to the top

Windows 2000 Update
To download this update for Windows 2000, visit the following Microsoft Web site to use the Microsoft Windows Update Catalog:

http://v4.windowsupdate.microsoft.com/catalog

Search for the ID number of this article by using the Advanced Search Options feature in the Windows Update Catalog. To do this, follow these steps:
 * 1) On the Microsoft Windows Update Web site, click Find updates for Microsoft Windows operating systems.
 * 2) Click to select your operating system and language, and then click Advanced Search.

Note You must select either Windows 2000 Professional Service Pack 3 or Windows 2000 Professional Service Pack 4. If you select a different operating system, the update is not returned in the search.
 * 1) In the Contains these words box, type 818043, and then click Search.

For more information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:

323166 How to download Windows updates and drivers from the Windows Update Catalog

Prerequisites
This update package is designed to be installed on computers that are running Windows 2000 with Service Pack 3 (SP3) or later versions.

Restart requirement
This update package requires that you restart your computer to enable the new IPsec features.

Update replacement information
This update does not replace any other updates.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. <pre class="fixed_text">  Date         Time   Version        Size     File name 18-Sep-2000 19:01  5.0.2195.1569   33,616  Fips.sys 21-Apr-2003 15:19  5.0.2195.6738   80,848  Ipsec.sys 21-Apr-2003 15:19  5.0.2195.6738   29,456  Ipsecmon.exe 21-Apr-2003 15:21  5.0.2195.6738  390,928  Netdiag.exe 01-May-2003 21:39  5.0.2195.6738  417,552  Oakley.dll 01-May-2003 21:39  5.0.2195.6738   96,528  Polagent.dll 01-May-2003 21:39  5.0.2195.6738  137,488  Polstore.dll 01-May-2003 21:39  5.0.2195.6738   58,128  Rasman.dll 01-May-2003 21:39  5.0.2195.6738  153,360  Rasmans.dll 01-May-2003 21:39  5.0.2195.6738   54,032  Rastapi.dll 21-Apr-2003 15:19  5.0.2195.6738   80,848  Ipsec.sys  (56-bit) back to the top

<div class="references_section">