ads

Style6

Style3[OneLeft]

Style3[OneRight]

Style4

Style5[ImagesOnly]

Style2

Problem:  

Windows 2012 RRAS IPsec VPN does not support NAT-T out-of-the-box.  By default, RRAS only works with public IP addresses -no NAT.  Windows 10 clients cannot connect with L2TP from outside the office.  Windows 2016 does not support L2TP for any client from behind routers running NAT.

Solution:  

Enable NAT-T on both Windows servers and the clients.  NAT-T allows the VPN server to serve clients (e.g., Windows 10, Android, Apple iOS) from behind the NAT device.  Modify MTU. 

Background

Why NAT-T? 

IPsec uses Encapsulating Security Payload (ESP) to encrypt packet headers and payloads.  By default, ESP is not compatible with Port Address Translation (PAT).  This is because TCP uses ports and ESP does not.  

TCP and ESP are different Internet protocols. TCP uses protocol number 6.  N.B., TCP protocol number 6 is not the same thing as TCP port 6.  TCP ports are communication endpoints.  For example, TCP uses port 80 for web traffic.  

ESP uses protocol (i.e., not port) number 50.   ESP is a protocol without ports.  Network Address Translation (NAT) uses port translation PAT to bind traffic flows with internal hosts.  Therefore, ESP does not work with NAT.

NAT-T allows ESP to work from behind NAT.  It encapsulates ESP protocol 50 inside User Datagram Protocol (UDP) 4500.   N.B, NAT-T is not the same as IPsec over UDP.

Enable NAT-T 


NAT-T is enabled on most operating systems (e.g., Android) -Windows is the exception.  Fortunately,  we can enable NAT-T on Windows 10 and Windows 2012 with a few simple changes. 

Windows IPsec clients are supposed to work from any location.  Therefore, only enable NAT-T on the 2012 RRAS server.  

Create a new registry key to enable NAT-T.

  1.   Edit Registry or create GPO:

                         HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters\

  1.   Create new DWORD value:   AssumeUDPEncapsulationContextOnSendRule

  1.   Modify DWORD value:  2

These changes will fix those pesky L2TP-NAT problem.  

Troubleshooting Issues

Make sure clients use the latest edition of Windows 10.  Early versions had quirks where clients simply would not connect via NAT-T.  

   NAT-T does not work with  the following editions:

  • version 10240
  • version 1511 (i.e. November Update)
   Unconfirmed (may or may not work):  
  • version 1607 (i.e., Anniversary Update)
   Confirmed:

  • version 1703 (i.e., Creators Update)
   NAT-T works great with the registry fix and Creators Update.

   Workarounds:  

Some folks had to toggle the NAT-T registry value in order to connect (http://bit.ly/2r2CKnF).  I assume this fix was for the November or Anniversary Update.  

MTU

Don't forget to adjust the Max Segment Size (MSS):  
http://www.stevenjordan.net/2016/11/windows-ikev2-mtu.html.  

That's It!

About Steven Jordan

Steven Jordan is an infrastructure and process management specialist. Steven holds a Master of Science degree in ICT from the University of Wisconsin Stout. Steven is also a Cisco Certified Network Professional (CCNP) and Master Gardener.
«
Next
This is the most recent post.
»
Previous
Older Post

4 comments:

  1. AssumeUDPEncapsulationContextOnSendRule is for L2TP, not for IKEv2

    ReplyDelete
    Replies
    1. Thanks for pointing that out. To be clear, this solution supports both L2TP/IPsec and IKEv2 VPNs. I should have stated that the article assumes the VPN server supports L2TP, IKEv2, and SSTP VPNs.

      To your point, IKEv2 (generally) does not require NAT-T. IKEv2 uses NAT detection to determine remote topology. NAT initiates UDP encapsulation for all all ESP and subsequent IKE traffic -unlike IKEv1 (i.e., L2TP/IPSec.)

      On the other hand, IKEv2 does support NAT-T. (RFC7296). Samir Jain, Microsoft Program Manager for RRAS states, "-although NOT RECOMMENDED" the Microsoft IKEv2 VPN server can sit behind a NAT router:

      (a) Use port redirection (e.g., VIP/PAT) or bi-directional NAT (e.g., MIP). This includes IKE packets (UDP port 500) and IPSec ESP packets (UDP port 4500) from the NAT router.

      (b) Enable NAT-T for both Windows client and Windows VPN server. (Technet, 2009).

      So should we enable NAT-T or not enable NAT-T on Windows IKEv2 VPN servers? RFC indicates that NAT-T is optional. Microsoft does not (officially) recommend NAT-T -assign public IPs instead. Unofficial documentation indicates NAT-T is necessary for IKEv2 servers behind NAT routers.

      The question we should ask ourselves, is why doesn't Microsoft recommend NAT-T for their IPSec VPNs? Most Microsoft documentation warns of "unintended side effects". Really? Can someone from Microsoft please elaborate? I suspect the RRAS VPN does not fully conform to IKEv2 RFC standards. Another possibility is that RRAS does not merit Microsoft's full support. Who buys Windows server for its routing capabilities? To be sure, SSTP and Direct Access are a big deal. Other than that, there haven't been a lot of RRAS innovations.

      Thanks for the feedback. Cheers!

      https://tools.ietf.org/html/rfc7296
      https://blogs.technet.microsoft.com/rrasblog/2009/03/17/remote-access-design-guidelines-part-5-where-to-place-rras-server/

      Delete
  2. Are you sure that you type registry path correct??

    ReplyDelete
    Replies
    1. I can confirm, it's how I have it configured on my VPN server. However, I looked into it a bit more. According to Microsoft:

      (a) Windows Vista, Windows 2008, 2012:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

      (b) Windows XP:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec

      https://support.microsoft.com/en-us/kb/926179

      Delete