IPSec ESP without authentication

[FV]

I've been trying to create an ipsec encrypted VPN tunnel using the win2k
built-in ipsec functionality.

The problem is that my clients are all behind a NAT device. This means I
can't use an Authentication Header. Win2k allows me not to use AH. But ESP
als includes authentication. I can't figure out how to disable it.

Am I looking for something that isn't supported?

Can anyone confirm that the win2k built-in ipsec functionality doesn't work
when using NAT? If so I can stop trying ;-)

 

[Steven Umbach [MVP]]

I know l2tp usually does not work with NAT because of what you mention
with AH, but using ESP may work. You can not disable authenitcation - it is
an integral security feature of ipsec, but you can use a preshared key
[basically a password]instead of kerberos or a certificate. --- Steve

 

[David Beder [MSFT]]

You pretty much are required to have authentication for either ipsec
protocol. However, the term authentication should not be confused with
Authentication The AH authentication option verifies that the packet
hasn't been adjusted, even in the source/dest section of the packet. The ESP
authentication option verifies that the data in the packet hasn't been
adjusted, but does not care about the source/dest section of the packet. An
commonly used synonymn for this authentication, is "integrity", however it's
probably not until later versions of Windows that the ipsec snap-in terms
were changed.

Regardless of which protocol you use, ipsec by its nature is in direct
conflict with nat. ipsec's job is to ensure no tampering with packets and
that what you get came from who you think it came from, while nat's job is
to tamper with them, masking the computer of origin.

If I may ask, what are you doing which causes you to need ipsec in tunnel
mode? Could L2TP/IPSec be used instead? If you can use L2TP/IPSec you can
probably just use the ipsec upgrade which allows NAT traversal (KB818043).

 

[FV]

hasn't been adjusted, even in the source/dest section of the packet. The ESP
authentication option verifies that the data in the packet hasn't been
adjusted, but does not care about the source/dest section of the packet.

An

Didn't know that, thanks.

If I may ask, what are you doing which causes you to need ipsec in tunnel
mode? Could L2TP/IPSec be used instead? If you can use L2TP/IPSec you can
probably just use the ipsec upgrade which allows NAT traversal (KB818043).

Actually I don't know the difference between ipsec in tunnel mode and
L2TP/IPSec

I want my clients to be able to log on to my win2k domain from home, using a
DSL connection with a NAT router. And ofcourse I want them to have full
network connectivity. I think VPN offers that by definition. (Could be
ignorance though)

I have a 3rd party solution in place at the moment. It uses IPSec without
AH, IKE with a preshared key and 3DES encryption for ESP. It works, except
for breaking kerberos when using cached credentials. The VPN client doesn't
allow "Log on using dial-up networking" and it has several other annoying
issues. (Like client not receiving dhcp address every once in a while)

So I thought I'd give the built in ipsec client a try.

L2TP/IPSec is an option for me I think. But it didn't work so far. I'll go
have a look at this KB entry, thanks.