IT Technical Stuff

Information for the IT Community - Tweaks and Solutions for the Microsoft Windows Systems and Linux.

Jan 31, 2010

Allowing NAT-T for VPN on XP and Vista/Win7

After setting up everything regarding VPN in the ISA 2006 server I was not able to establish a VPN tunnel properly between a XP machine and the server.


The problem is related with NAT-T and how Microsoft handles traffic between the Client and the Server. It happens when the ISA Server doesn't have a public IP and there is a firewall between it and the Internet that does the NAT.


The solution is simple but very lowlevel. It requires some changes in the registry.


For XP:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
  5. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  6. In the Value Data box, type one of the following values:
    • 0 (default)
      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind network address translators.
    • 1
      A value of 1 configures Windows so that it can establish security associations with servers that are located behind network address translators.
    • 2
      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows XP SP2-based client computer are behind network address translators.
  7. Click OK, and then quit Registry Editor.
  8. Restart the computer.
(This steps were collected from the MS KB818043.)

For Vista/Win7:
  1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
  2. Click Start
    , point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
  3. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  4. On the Edit menu, point to New, and then click DWORD (32-bit) Value.
  5. Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
  6. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  7. In the Value Data box, type one of the following values:
    • 0
      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1
      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2
      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
  8. Click OK, and then exit Registry Editor.
  9. Restart the computer.
(This steps were collected from the MS KB926179.)

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)