tag:blogger.com,1999:blog-6696977109054687352.post8298029914948040388..comments2024-01-02T04:24:12.450-06:00Comments on Steven M. Jordan: Fix Win NAT-T for L2TP and IKEv2Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-6696977109054687352.post-59659803998945269392018-08-16T20:38:47.239-05:002018-08-16T20:38:47.239-05:00Oh man, I'm going to get a headache thinking a...Oh man, I'm going to get a headache thinking about NLB and VPN servers! However, my crystal ball tells me that NAT-T works when NLB uses affinity.<br /><br />If the VPN server has a public IP, or uses static NAT (i.e., it translates all source and destination traffic), IKEv2 negotiates via UDP port 500. Subsequent IKEv2 traffic uses IPSec ESP 50.<br /><br />However, in your situation, both client and server are behind NAT firewalls. What's more, NLB is not going to handle ESP 50. The negotiation will detect NAT and subsequent IKEv2 traffic uses UDP port 4500.<br /><br />We've already established that NLB works with UDP. I vote thumbs up. <br /><br /> Steven M. Jordanhttps://www.blogger.com/profile/08808713004280066782noreply@blogger.comtag:blogger.com,1999:blog-6696977109054687352.post-8337292308918543832018-07-20T17:44:10.797-05:002018-07-20T17:44:10.797-05:00Does that mean enabling NAT-T on the server side w...Does that mean enabling NAT-T on the server side will allow me to put IKEv2 servers behind a load balancer (which normally only works with TCP and UDP...not ESP)?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6696977109054687352.post-71185568512911507572018-05-07T16:16:41.332-05:002018-05-07T16:16:41.332-05:00Carlo, Sorry, that's not enough information to...Carlo, Sorry, that's not enough information to really help. There are two important things to be aware of:<br /><br />1. Make sure all your server and clients use the same cryptography settings:<br /><br />http://www.stevenjordan.net/2016/09/harden-rras-ikev2.html<br /><br /><br />2. Make sure you have the correct ports open:<br /><br />For L2TP:<br />IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path)<br />IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)<br />IP Protocol Type=ESP (value 50) <- Used by IPSec data path<br /><br />https://blogs.technet.microsoft.com/rrasblog/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through/<br />Steven M. Jordanhttps://www.blogger.com/profile/08808713004280066782noreply@blogger.comtag:blogger.com,1999:blog-6696977109054687352.post-21183277740487171212018-02-19T08:34:38.810-06:002018-02-19T08:34:38.810-06:00. I have a windows 2012 r2 server (NAT installed)..... I have a windows 2012 r2 server (NAT installed). Now I am able to connect L2TP with my iPhone of laptop from anywhere. But I have a VPN router (TPlink 604W) which should setup the VPN connection from the router itself. It's working when i do it with PPTP but it won't work with L2TP? The helpdesk of TPlink are saying this is possible but what am I doing wrong?<br /><br />Kind regard,<br /><br />carloAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-6696977109054687352.post-19840145134717718992018-01-24T14:44:01.074-06:002018-01-24T14:44:01.074-06:00FYI you put "Parameters" in your post fo...FYI you put "Parameters" in your post for the regpathAnonymoushttps://www.blogger.com/profile/07957949869127830349noreply@blogger.comtag:blogger.com,1999:blog-6696977109054687352.post-1808867328660411792016-11-23T17:18:17.088-06:002016-11-23T17:18:17.088-06:00I can confirm, it's how I have it configured o...I can confirm, it's how I have it configured on my VPN server. However, I looked into it a bit more. According to Microsoft:<br /><br />(a) Windows Vista, Windows 2008, 2012:<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent<br /><br />(b) Windows XP:<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec<br /><br />https://support.microsoft.com/en-us/kb/926179<br /><br />Steven M. Jordanhttps://www.blogger.com/profile/08808713004280066782noreply@blogger.comtag:blogger.com,1999:blog-6696977109054687352.post-53262129693732438172016-11-22T02:32:57.908-06:002016-11-22T02:32:57.908-06:00Are you sure that you type registry path correct??...Are you sure that you type registry path correct??Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6696977109054687352.post-56842757080507922642016-11-21T17:45:06.869-06:002016-11-21T17:45:06.869-06:00Thanks for pointing that out. To be clear, this s...Thanks for pointing that out. To be clear, this solution supports both L2TP/IPsec and IKEv2 VPNs. I should have stated that the article assumes the VPN server supports L2TP, IKEv2, and SSTP VPNs. <br /><br />To your point, IKEv2 (generally) does not require NAT-T. IKEv2 uses NAT detection to determine remote topology. NAT initiates UDP encapsulation for all all ESP and subsequent IKE traffic -unlike IKEv1 (i.e., L2TP/IPSec.) <br /><br />On the other hand, IKEv2 does support NAT-T. (RFC7296). Samir Jain, Microsoft Program Manager for RRAS states, "-although NOT RECOMMENDED" the Microsoft IKEv2 VPN server can sit behind a NAT router: <br /><br />(a) Use port redirection (e.g., VIP/PAT) or bi-directional NAT (e.g., MIP). This includes IKE packets (UDP port 500) and IPSec ESP packets (UDP port 4500) from the NAT router. <br /><br />(b) Enable NAT-T for both Windows client and Windows VPN server. (Technet, 2009). <br /><br />So should we enable NAT-T or not enable NAT-T on Windows IKEv2 VPN servers? RFC indicates that NAT-T is optional. Microsoft does not (officially) recommend NAT-T -assign public IPs instead. Unofficial documentation indicates NAT-T is necessary for IKEv2 servers behind NAT routers. <br /><br />The question we should ask ourselves, is why doesn't Microsoft recommend NAT-T for their IPSec VPNs? Most Microsoft documentation warns of "unintended side effects". Really? Can someone from Microsoft please elaborate? I suspect the RRAS VPN does not fully conform to IKEv2 RFC standards. Another possibility is that RRAS does not merit Microsoft's full support. Who buys Windows server for its routing capabilities? To be sure, SSTP and Direct Access are a big deal. Other than that, there haven't been a lot of RRAS innovations.<br /><br />Thanks for the feedback. Cheers!<br /><br />https://tools.ietf.org/html/rfc7296<br />https://blogs.technet.microsoft.com/rrasblog/2009/03/17/remote-access-design-guidelines-part-5-where-to-place-rras-server/Steven M. Jordanhttps://www.blogger.com/profile/08808713004280066782noreply@blogger.comtag:blogger.com,1999:blog-6696977109054687352.post-33610413433375095492016-11-20T12:02:21.475-06:002016-11-20T12:02:21.475-06:00AssumeUDPEncapsulationContextOnSendRule is for L2T...AssumeUDPEncapsulationContextOnSendRule is for L2TP, not for IKEv2Anonymousnoreply@blogger.com