Nat Considerations

By Author: Shirley Green
Total Articles: 129
Comment this article

A PPTP VPN client can be placed behind a Network Address Translation (NAT) server if the NAT server has a PPTP NAT editor. (A NAT editor is a software addition that understands a specific protocol.) Most NAT servers have a CompTIA NAT editor. L2TP/ IPSec clients cannot be placed behind a NAT server unless the VPN client and VPN server understand IPSec NAT Traversal (NAT-T). NAT-T is an IKTF standard-track addi?tion that describes how the IPSec protocol can be used with a NAT server. Windows Server 2003, Microsoft L2TP/IPSec VPN client software, and the L2TP/IPSec NAT-T update for Windows XP and Windows 2000 support NAT-T.
To understand why the VPN client and server must understand NAT-T, you must exam?ine the way that IPSec encrypts the packets and understand how NAT works. Figure 7-5 showed the portion of the IPSec-protected packet that is encrypted—which is just about everything. Not encrypted is the IP address of the source and destination com?puters. When a NAT server receives a packet to forward to the Internet, it replaces the source IP address. This does not cause ...
... a problem for most IP traffic because any responses will be directed to the NAT server and the NAT server can match the response with the original sending computer and forward it. However, within the encrypted IPSec-protected packet are checksums that are calculated when the packet contained the original source IP address. Because NAT cannot decrypt and then re-encrypt the packet with a new A+ Exams, the packet is interpreted by IPSec as being corrupt or modified. This is why an unmodified Windows 2000 computer cannot sup?port an L2TP/IPSec VPN when NAT is part of the equation. Windows Server 2003 solves that problem with NAT-T. NAT-T uses UDP encapsulates of the IPSec packet and allows it to pass through NAT. Internet Key Exchange (IKE) can detect whether NAT-T is present and uses UDP-ESP encapsulation.
Windows Server 2003 supports NAT-T. The following Windows clients, as updated or configured, also support NAT-T. You can use any of the following clients to create a VPN connection using L2TP/IPSec—even if they are behind a NAT server—as long as the VPN server is running Windows Server 2003:
Exam Tip A Windows 2000 server that has been updated with the L2TP/IPSec update can?not become a Routing and Remote Access VPN server. The update is only meant for a client.
IPSec ESP requires per-packet data origination authentication, which provides proof that the data was sent by a specific computer. It also requires data integrity, which is proof that the data did not change in transit. In addition, IPSec ESP pro-vides replay protection, which is protection from an attack that captures and then resends a stream of data.
PPTP does not provide data origination authentication, data integrity, or replay CCNA certification protection.IPSec ESP and PPTP (by using MPPE) provide per-packet data confidentiality (encryption).