Configure Microsoft® Windows XP** Virtual Private Network (VPN) client interoperability with NAT-T support 7
Loading the NAT-T update to Windows XP
To ensure that your version of Windows XP operating system supports NAT-T you will need to
fulfil one of these pre-requisites:
• The recommended method is to ensure Windows XP Service Pack 2 has been installed. To get a
copy of the service pack go to:
http://www.microsoft.com/athome/security/protec t/windowsxp/choose.msp x
• If you do not have the service pack installed, you will need to install the update patch for
Knowledge Base article KB 818043.
Either way, the details of this NAT-T enhancement can be read at:
http://support.microsoft.com/?kbid=818043.
This update includes improvements to IPSec to better support virtual private network (VPN)
clients that are behind network address translation (NAT) devices.
The list of fixes included in Windows XP SP2 is at the following URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;811113
The release notes for Windows XP SP2 are at the following URL:
http://support.microsoft.com/default.aspx?s cid=kb;en-us;835935
Note: If either of these requirements are not met, then on connection attempt the router or switch log will
not proceed beyond “ISAKMP MAIN Phase 1 (resp) started with peer x.x.x.x” and “Exch xx: Failed”. If you
have ISAKMP debugging enabled, this condition will show as “Remote ID different to expected”.
After installing the update and rebooting your computer, you can configure the Windows XP VPN
client. See the following sections.
Support for NAT device at the responder VPN gateway end of link
As mentioned in the earlier section, Windows XP SP2 does not support NAT devices at the VPN
responder end of the link. To overcome this issue, you need to refer to instructions on the
Microsoft support site in Knowledge Base article 885407:
http://support.microsoft.com/default.aspx?kbid=885407
This article describes a change required in the Windows registry. It also outlines some security
issues with this solution.
Please note that you will make a registry key entry, and this key can be set for different values
depending on your NATing circumstances:
• value 0 (default): does not permit IPSec when responders are behind NAT.
• value 1: XP SP2 can initiate IPSec to responders behind NAT (you will target the public side of the
NAT device and that device will need pinholes).
• value 2: XP SP2 can initiate IPSec when both initiator and responder and behind NAT.
For more detail, please refer to the KB article.
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Commentaires sur ces manuels