WinXP IPSec

  • Thread starter Thread starter alex
  • Start date Start date
A

alex

Hi

I got XP box (NAT-T update installed) behind NAT (freebsd
4.8) and trying to establish IPSec session with Win2003
Server (WinXP-->NAT-->Win2003). It seems that SA is
established (according to eventlog and IPSec monitor) but
no application level protocol (RDP, SMB) can work. Any
suggestions?

Thanks in advance.
Alex
 
Its not NAT-T that gives this ability on its own, the NAT itself must
support and be setup for NAT-T. Setting up the NAT server may require some
configuration, as your NAT is FreeBSD I can not comment on how it
implements nor support NAT-T.
--
Curtis Koenig
Support Engineer
Product Support Services, Security Team
MCSE, MCSES, CISSP

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!

--------------------
 
Yes thats ok, but in my case the config is

winxp-->nat-->...-->win2003

so the only nat (dynamic one or pat) is doing port (and
udp address) translation and there is no other nat before
win2003.
udp encapsulated esp packet from winxp comes to nat(pat),
address is changed to external one and udp port is changed
to another(external) port and packet goes out (to
win2003), then reply comes back to that socket and nat
performs reverse translation sending packet back to winxp.
what config are you talking about? afaik one of goals of
inventing nat-t was to exclude any nat's config. thanks.
 
There are 2 components to NAT-T a server component and a client component.
You already indidcated that you installed the client component on your
Windows XP box. However, the server (the NAT) itself also has to have a
NAT-T component. If your NAT were Windows 2003 you would have to install
the Server NAT-T component and configure it. It is not enought to install
the client component and expect it to work. In this case your NAT Server is
a 3rd party, and it has to support NAT-T and may have a configuration
setting I am unaware of.

The reason for this is that if the Server NAT-T component is not installed
or configured properly it will continue to alter packets in a way that is
inconsistent with IPSec. The Client NAT-T component allows a client to now
deal with the way the Server NAT-T component changes the packets so it will
accept them.
--
Curtis Koenig
Support Engineer
Product Support Services, Security Team
MCSE, MCSES, CISSP

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!

--------------------
 
Back
Top