IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators

We do not recommend Internet Protocol security (IPSec) network address translation (NAT) traversal (NAT-T) for Windows deployments that include VPN servers and that are located behind network address translators. When a server is behind a network address translator, and the server uses IPSec NAT-T, unintended side effects may occur because of the way that network address translators translate network traffic.

Additionally, the default behavior of Microsoft Windows XP has changed with Service Pack 2 (SP2). IPSec NAT-T security associations to servers that are located behind network address translators are not recommended for Windows XP SP2-based computers. This change means that a Microsoft Windows Server 2003-based virtual private network (VPN) server that uses Layer Two Tunneling Protocol with IPSec (L2TP/IPSec) cannot be deployed behind a network address translator without additional configuration for Windows XP SP2-based VPN clients.

If you require IPSec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet. Windows-based client computers that support IPSec NAT-T can be located behind a network address translator.

NAT is a widely used technology that enables more than one computer to share a single public IP address. Network address translators map private addresses that are used on the following private networks to public IP addresses that are used on the Internet: If you put a server behind a network address translator, you may experience connection problems because clients that connect to the server over the Internet require a public IP address. To reach servers that are located behind network address translators from the Internet, static mappings must be configured on the network address translator. For example, to reach a Windows Server 2003-based computer that is behind a network address translator from the Internet, configure the network address translator with the following static network address translator mappings:

• Public IP address/UDP port 500 to the server's private IP address/UDP port 500.
• Public IP address/UDP port 4500 to the server's private IP address/UDP port 4500.

These mappings are required so that all Internet Key Exchange (IKE) and IPSec NAT-T traffic that is sent to the public address of the network address translator is automatically translated and forwarded to the Windows Server 2003-based computer.

However, if you have a Windows Server 2003-based VPN server, we recommend that you assign a public IP address to the VPN server. By assigning a public IP address to the VPN server, you can avoid situations where IP traffic is either lost or accidentally forwarded to the incorrect location because of typical network address translator behavior.

Windows XP SP2 does not support establishing IPSec NAT-T security associations to servers behind NAT devices

We have changed the default behavior of IPSec NAT-T in Windows XP Service Pack 2 (SP2). Windows XP SP2 does not support an IPSec NAT-T security association to a server that is located behind a device or component that performs network address translation. This change has been made to avoid a perceived security risk in the following situation:

1. A network address translator is configured to map IKE and IPSec NAT-T traffic to a server on a NAT-configured network. (This server is Server 1.) The network address translator mappings are the ones that we recommend in this article.
2. A client from outside the NAT-configured network uses IPSec NAT-T to establish bidirectional security associations with Server 1. (This client is Client 1.)
3. A client on the NAT-configured network uses IPSec NAT-T to establish bidirectional security associations with Client 1. (This client is Client 2.)
4. A condition occurs that causes Client 1 to reestablish the security associations with Client 2 because of the static network address translator mappings that map IKE and IPSec NAT-T traffic to Server 1. This condition may cause the IPSec security association negotiation traffic that is sent by Client 1 and that is destined for Client 2 to be misrouted to Server 1.

Although this is an uncommon situation, the default behavior on Windows XP SP2-based computers prevents any IPSec NAT-T-based security associations to servers that are located behind a network address translator to make sure that this situation never occurs.

The default behavior of Windows XP SP2 can be changed to enable IPSec NAT-T security associations to servers that are located behind a network address translator. We do not recommend that you change the default behavior.

For more information about Windows XP SP2 and IPSec NAT-T-based security associations, click the following article number to view the article in the Microsoft Knowledge Base: