Thread: NAT-T, L2TP / IPSEC VPN Issue
View Single Post
  #1 (permalink)  
Old 02-20-2008, 11:16 AM
ChucknDiscs's Avatar
ChucknDiscs
Lurker
Offline
 
Join Date: Feb 2008
Posts: 1
Reputation: 0
ChucknDiscs is a n00b
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
NAT-T, L2TP / IPSEC VPN Issue
Our company employs a L2TP / IPSEC VPN for remote connectivity. The VPN server is behind a NAT device. Se had to do the registry edit to our laptops in order for them to VPN in to our company.

Windows XP Registry Edit:

http://support.microsoft.com/kb/818043

"Because of the way that network address translators translate network traffic, you may experience unexpected results when you put a server behind a network address translator and then use IPsec NAT-T. Therefore, if you require IPsec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet.

To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps:

1.Click Start, click Run, type regedit, and then click OK.
2.Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\IPsec
3.On the Edit menu, point to New, and then click DWORD Value.
4.In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
5.Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
6.In the Value Data box, type one of the following values:
0 (default) A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind network address translators.
1 A value of 1 configures Windows so that it can establish security associations with servers that are located behind network address translators.
2 A value of 2 configures Windows so that it can establish security associations when both the server and the Windows XP SP2-based client computer are behind network address translators.
7.Click OK, and then quit Registry Editor.
8.Restart the computer"

Now I would like to enable the same VPN for our Pocket PC users with Windows Mobile 6.0 or greater. I understand WM60 can use NAT-T, they have the ability to L2TP / IPSEC VPN, they can have certificates installed. We have setup 2 devices with certificates, with the correct IP but they dont work. I beleive its because we have not done the ABOVE registry edit to the Pocket PC's. I have searched the web for 2 days looking for the solution to this and have been so far unsuccessful. I went to the same location on the Pocket PC registry and find NO IPSec under the services. I only find LDAP.

QUESTION: Has anyone found where to put the AssumeUDPEncapsulationContextOnSendRule
Dword value yet in the windows mobile 6.0 registry yet? DO I need to put it in there or is something else perhaps a-miss?

Can I just make a IPSec key under services?

Thanks!!

~Chuckn - em - Discs!
Last edited by ChucknDiscs; 02-20-2008 at 11:19 AM.