Problem: VPN Clients using L2TP/IPSEC may experience issues connecting to the VPN server.
Cause: This may be the result of the VPN server being located behind a NAT device or other firewall.
The default behaviour of L2TP/IPSEC within Windows XP changed in SP2 to be more secure. As a result, Windows XP SP2 clients can no longer connect to a VPN server that is placed behind a NAT device.
Workaround: To work around the issue, a registry key can be changed on the VPN client to restore the pre-SP2 functionality. This change requires administrator rights to implement and also lowers the security value of L2TP/IPSEC to that similar to PPTP.
For details on the required registry key changes, see the following Microsoft KB article: http://support.microsoft.com/kb/885407
Solution: To resolve the issue without changing the client configuration, or lowering the security of L2TP/IPSEC, remove the NAT connection between the Internet and the VPN server. To do this either:
- Connect the external interface of the VPN Server directly to the Internet with an Internet IP address - only recommended when ISA Server is used.
- Change the perimeter firewall to ROUTE instead of NAT traffic to the VPN server. The VPN server will still require an Internet routable IP address.
More information: L2TP/IPSEC is designed to identify both ends of the VPN tunnel, which is typically done via Certificates or at least with a pre-shared key (less secure). The VPN tunnel is then established between the machines based on their IP address information. However, if the VPN server is behind a NAT device, the server's actual IP address can not be used as part of the tunnel security as it is a private address.
As as a result of this, NAT-T was introduced to cater for L2TP/IPSEC connectivity over a NAT device. It is not recommended to "hide" the VPN server behind a NAT device as the VPN client can not be sure that it is connecting to the real VPN server. NAT-T is still very useful when the VPN client is located behind a NAT device as it is still able to positively identify the VPN server.
For further details regarding how NAT-T functions in Windows, refer to the following Microsoft KB article: http://support.microsoft.com/kb/885348