Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Registry entries that are useful in network address translation traversal (NAT-T) security associations in Windows Vista

Registry entries that are useful in network address translation traversal (NAT-T) security associations in Windows Vista

View products that this article applies to.

Introduction

This article describes registry entries that are useful in network address translation traversal (NAT-T) security associations in Windows Vista.

↑ Back to the top

More information

The AssumeUDPEncapsulationContextOnSendRule registry entry

The AssumeUDPEncapsulationContextOnSendRule registry entry can be applied to the Windows Vista operating system and to earlier operating systems. In Windows Vista, the entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
In earlier operating systems, the entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
If you update the operating system from Windows XP Service Pack 2 (SP2) to Windows Vista, the value of this registry entry and the default behavior do not change. Therefore, you do not have to reset the registry configuration to support servers that are hosted behind network address translation (NAT) devices.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To modify the AssumeUDPEncapsulationContextOnSendRule registry entry, follow these steps:
  1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
  2. Click Start, type regedit in the Start Search box, and then press ENTER.

    Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  3. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
  4. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  5. In the Value Data box, type one of the following values:
    • 0

      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1

      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2

      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
  6. Click OK, and then exit Registry Editor.
  7. Restart the computer.

The IPsecThroughNAT registry entry

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To modify this registry entry, follow these steps:
  1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
  2. Click Start, type regedit in the Start Search box, and then press ENTER.

    Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  3. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
  4. Right-click IPsecThroughNAT, and then click Modify.
  5. In the Value Data box, type one of the following values:
    • 0

      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1

      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2

      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008 VPN client computer are behind NAT devices.
  6. Click OK, and then exit Registry Editor.
  7. Restart the computer.
Also, you can run the following commands at a command prompt to modify this registry entry:
  • To set the value to 0, run the following command:
    netsh advfirewall set global ipsec ipsecthroughnat nerver
  • To set the value to 1, run the following command:
    netsh advfirewall set global ipsec ipsecthroughnat serverbehindnat
  • To set the value to 2, run the following command:
    netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat

↑ Back to the top

References

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000
885348 IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
926179 How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista and in Windows Server 2008

↑ Back to the top

Keywords: kbexpertiseadvanced, kbinfo, KB947234

↑ Back to the top

Article Info
Article ID : 947234
Revision : 2
Created on : 8/18/2009
Published on : 8/18/2009
Exists online : False
Views : 340