IPSec Enhancements for Windows XP and Win2K

Many of us implement Network Address Translation (NAT) on firewalls and routers as the first line of defense in protecting internal systems. When NAT is active and a user connects to a system on the Internet, the firewall or router repackages the request so that the client system remains anonymous. In technical terms, the NAT device remembers the address of the system making the request and the destination address. The NAT device then replaces the original client address with its own address (or one of a range of preconfigured addresses) and forwards the request to the destination machine. When the destination system responds, the NAT device determines which client should receive the response, reformats the packet so that it contains the client’s real address, and sends the response to the client. By masking the addresses of all systems on your internal network and preventing direct connections between a local system and an unknown system on the Internet, NAT technology reduces the exposure and vulnerability of your internal systems. The combination of Layer Two Tunneling Protocol (L2TP) and IP Security (IPSec) offers an even more secure method of communication. Unlike NAT, which simply reformats packets with a different source or destination address, L2TP connections are encrypted and ruled by an IPSec policy that requires the endpoints to authenticate each other with a shared password or certificate. Until recently, Microsoft platforms didn't support the use of L2TP connections in combination with NAT. To improve the interoperability of Windows XP and Windows 2000 systems with Windows Server 2003 systems, Microsoft recently released an update for XP and Win2K platforms that lets clients create secure IPSec connections to a Windows 2003 server when the clients are behind a firewall or router running NAT. In real-world terms, this functionality lets clients on your internal network create secure, encrypted connections to systems on the Internet, while remaining anonymous to any systems between the firewall and the destination machine.

The documentation doesn't state whether this new feature works with Win2K servers that accept L2TP connections, but it seems logical to assume that the enhancements work with both Windows 2003 and Win2K. Aside from that missing information, here are a few important facts about this upgrade.
• The method for implementing L2TP connections behind a firewall is governed by two Internet Engineering Task Force (IETF) specifications: Request for Comments (RFC) 3193 and a draft (not the final version) of the IETF NAT-T specification. These two standards define how NAT and L2TP interoperate.
• The L2TP/IPSec upgrade introduces a stronger, 2048-bit encryption algorithm, which lets XP and Win2K systems negotiate the most secure connections with Windows 2003 servers. Note: You need to make the following registry edit on Windows 2003 servers to enable use of this algorithm. Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters registry subkey, and add the entry NegotiateDH2048 (of type REG_DWORD) with a value of 1. I suspect you need to restart RRAS to activate this change.
• The release upgrades the IPSecmon utility that monitors active IPSec connections in real time. The new version lets you track NAT-based L2TP connections for Windows 2003 and XP systems but not Win2K clients.
• The upgraded IPSec monitor might not display features specific to the Windows 2003 IPSec policy correctly. According to the documentation, the snap-in will display the DH2048 group as 268435457 and won't display dynamic filter names such as WINS and DHCP.
• The upgrade improves the XP support utility IPSeccmd so that it dynamically turns on and off Internet Key Exchange (IKE) logging, displays data about the currently assigned policy, and lets you define a permanent IPSec policy. If this utility is already present on an XP system when you install the L2TP/NAT enhancement, setup automatically upgrades IPSeccmd to the new version. The original IPSeccmd utility won't work on upgraded systems.

You can install this enhancement on XP Service Pack 1 (SP1) and Win2K systems interactively at Windows Update (http://windowsupdate.microsoft.com). Microsoft officially posted it as a Recommended Update on May 28, 2003; the related Microsoft article is "L2TP/IPSec NAT-T Update for Windows XP and Windows 2000" (http://support.microsoft.com/?kbid=818043). If you prefer to download the software and test it before deploying it, click the Windows Update Catalog link, select the OS, and use NAT as a search string. (Windows Update didn't locate this patch when I used 818043 as a search string.) Reboot the system to ensure all system files are replaced. To remove the update, open the Control Panel Add/Remove programs applet, highlight Windows 2000 Hotfix (SP5) Q818043, and click Remove. If you plan to upgrade clients to use this new feature, you need to open the following ports on the NAT devices at both ends of the L2TP connection.
• The L2TP portion of the connection requires UDP Port 500 and UDP Port 1701.
• The Nat-T portion of the connection uses UDP Port 4500.
• The ESP encryption portion of the connection uses TCP Port 50.

If you have trouble making L2TP connections after you configure firewalls at both ends, you might have an intermediary firewall at your ISP or Telco provider that's preventing the connection. You might need to ask your ISP to enable traffic on these ports.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.