Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
INTRODUCTION
This article describes a change in the default behavior of Internet Protocol security (IPsec) network address translation (NAT) traversal (NAT-T) that has been implemented in Microsoft Windows XP Service Pack 2 (SP2). You can modify this default behavior in Windows XP SP2 by using the following registry value:
AssumeUDPEncapsulationContextOnSendRule
No change has been made in the Microsoft Windows 2000 IPsec NAT-T implementation.
MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
By default, computers that run Windows XP with Service Pack 2 and that initiate IPsec-secured communications (hereafter referred to as initiators) no longer support using IPsec NAT-T to remote computers that respond to requests for IPsec-secured communication (hereafter referred to as responders) that are located behind a network address translator. This is to avoid potential security issues as discussed in the following Microsoft Knowledge Base article:
885348 IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
For example, if your virtual private network (VPN) server that is running Microsoft Windows Server 2003 is behind a network address translator, by default, a Windows XP SP2-based VPN client cannot make a Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) connection to the VPN server.
This default behavior can also prevent computers that are running Windows XP with SP2 from making Remote Desktop connections that are protected by L2TP/IPsec or by IPsec transport mode when the destination computer is located behind a network address translator.
Because of the way that IPsec NAT-T works in Windows XP without service packs installed and in Windows XP Service Pack 1 (SP1), you may experience unexpected results when you put a server behind a network address translator and then use IPsec NAT-T. Therefore, if you require IPsec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet.
Note Regardless of these changes, computers that are running Windows 2000, Windows XP, or Windows Server 2003 support IPsec NAT-T-based connections as an initiator when located behind a network address translator.
For example, an L2TP/IPsec VPN client laptop that is located on a private hotel network can initiate a connection to a VPN server that is using a public Internet address.
NAT is a widely-used technology that enables more than one computer to share a single public IP address. Network address translators map private addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) that are used on private networks to public IP addresses that are used on the Internet.
For more information about putting servers behind network address translators, about how to configure network address translation mappings for servers, and about the consequences to IPsec NAT-T security associations for a specific situation, click the following article number to view the article in the Microsoft Knowledge Base:
885348
IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
To allow an IPsec NAT-T initiator to connect to a responder that is located behind a NAT, you must create and set the AssumeUDPEncapsulationContextOnSendRule registry value on the initiator.
Note Before you configure this registry value, we recommend that you contact your network administrator or read your corporate security policy.
To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
- On the Edit menu, point to New, and then click DWORD Value.
- In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
Important This value name is case sensitive. - Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
- In the Value data box, type one of the following values:
- 0 (default)
A value of 0 (zero) configures Windows XP SP2 so that it cannot initiate IPsec-secured communications with responders that are located behind network address translators. - 1
A value of 1 configures Windows XP SP2 so that it can initiate IPsec-secured communications with responders that are located behind network address translators. - 2
A value of 2 configures Windows XP SP2 so that it can initiate IPsec-secured communications when both the initiators and the responders are behind network address translators.
Note This is the behavior of IPsec NAT-T in Windows XP without service packs installed and in Windows XP SP1.
- Click OK, and then quit Registry Editor.
- Restart the computer.
After you configure AssumeUDPEncapsulationContextOnSendRule with a value of 1 or a value of 2, Windows XP SP2 can connect to a responder that is located behind a network address translator. This behavior applies to connections to a VPN server that is running Windows Server 2003.