Fix Win NAT-T for L2TP and IKEv2
Problem:
Windows 2012 RRAS IPsec VPN does not support NAT-T out-of-the-box. By default, RRAS only works with public IP
addresses -no NAT. Windows 10 clients cannot connect with L2TP from outside the office. Windows 2016 does not support L2TP for any client from behind routers running NAT.
Solution:
Enable NAT-T on both Windows servers and the clients. NAT-T allows the
VPN server to serve clients (e.g., Windows 10, Android, Apple iOS) from behind the NAT device. Modify MTU.
Background:
Why NAT-T?
IPsec uses Encapsulating Security Payload (ESP) to encrypt packet headers
and payloads. By default, ESP is not
compatible with Port Address Translation (PAT). This is because TCP uses ports and ESP does not.
TCP and ESP are different Internet protocols. TCP uses protocol number 6. N.B., TCP protocol number 6 is not the same thing as TCP port 6. TCP ports are communication endpoints. For
example, TCP uses port 80 for web traffic.
NAT-T allows ESP to
work from behind NAT. It encapsulates
ESP protocol 50 inside User Datagram Protocol (UDP) 4500. N.B, NAT-T is not the same as IPsec over UDP.
Enable NAT-T
NAT-T is enabled on most operating systems (e.g., Android) -Windows is the exception. Fortunately, we can enable NAT-T on Windows 10 and Windows 2012 with a few simple changes.
Windows IPsec clients are supposed to work from any location. Therefore, only enable NAT-T on the 2012 RRAS
server.
Create a new
registry key to enable NAT-T.
- Edit Registry or create GPO:
HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters\
- Create new DWORD value: AssumeUDPEncapsulationContextOnSendRule
- Modify DWORD value: 2
These changes will fix those pesky L2TP-NAT problem.
Troubleshooting Issues
Make sure clients use the latest edition of Windows 10. Early versions had quirks where clients simply would not connect via NAT-T.NAT-T does not work with the following editions:
- version 10240
- version 1511 (i.e. November Update)
- version 1607 (i.e., Anniversary Update)
- version 1703 (i.e., Creators Update)
Workarounds:
Some folks had to toggle the NAT-T registry value in order to connect (http://bit.ly/2r2CKnF). I assume this fix was for the November or Anniversary Update.
MTU
Don't forget to adjust the Max Segment Size (MSS):http://www.stevenjordan.net/2016/11/windows-ikev2-mtu.html.
That's It!