Microsoft has released an update package to enhance the
current functionality of Layer Two Tunneling Protocol (L2TP) and Internet
Protocol security (IPsec) on computers that run Microsoft Windows 2000, Microsoft Windows XP without service packs installed, and Windows XP with Service Pack 1 (SP1).This functionality is included in Windows XP Service Pack 2 (SP2). Computers that run Windows XP with a service pack do not have to install this update package.
This update includes improvements
to IPsec to better support virtual private network (VPN) clients that are
behind network address translation (NAT) devices. If you apply this update to a
computer that is running Windows XP, and if the IPsec service encounters a
runtime error and cannot start for any reason, the IPsec driver operates in
block mode because it cannot secure network traffic.Note
The IPsec service appears
as "IPSEC services" in the list of system services.
For more information about the latest
service pack for Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
to obtain the latest Windows XP service pack
New IPsec features and Management and Monitor snap-ins
- After you install this update, Windows 2000 and Windows XP-based L2TP/IPsec
clients can create IPsec connections from behind a NAT device. The new IPsec NAT-T
functionality is based on the IETF Requests for Comments (RFC) 3193 and version 2 of the original IETF IPsec NAT-T
Internet drafts. Windows XP clients that have SP2 also have this enhanced connectivity
option. IPsec NAT-T is currently specified in RFCs 3947 and 3948.
- The updated IPsec Monitor snap-in can view computers that
are running Windows XP, but only if the Windows XP-based computer has SP2
- The updated IPsec Monitor snap-in can view computers that are
running Microsoft Windows Server 2003. Similarly, Windows Server 2003 can
monitor Windows XP-based computers that have SP2 installed.
- Computers that are running Windows 2000 cannot be monitored
with this snap-in.
- The new IPsec Management snap-in switches to read-only mode
when it encounters policy objects that contain advanced features that were
created in Windows Server 2003 (for example, DH2048, Certificate Mapping, or
dynamic filters). This behavior causes the snap-in objects (for example, rules,
filter lists, or main mode offerings) to become uneditable if they contain
references to these new settings. The IPsec Management snap-in switches to read-only mode
so that it cannot accidentally remove critical advanced features.
- The updated IPsec services on Windows XP-based computers
can expose most of the new features that are provided in a Windows Server 2003
Note Certificate Mapping is not available.
- If an earlier version of the IPseccmd tool is installed on
a Windows XP-based computer (this tool is not available in Windows 2000), an
updated IPseccmd is installed in the drive:\Program
Files\Support Tools folder.
The updated IPseccmd has the following
Note The earlier version of IPseccmd does not work on updated
computers, and the updated IPseccmd does not work on computers that are not updated.
- It dynamically turns Internet Key Exchange (IKE)
logging on and off.
- It displays information about a currently assigned
- It lets you create a persistent IPsec
Interoperability and known issues
IPsec NAT-T and firewall rules
Because the support for IPsec NAT-T functionality is based on IETF RFC 3193
and version 2 of the original IETF NAT-T Internet drafts, for these services to run through
a firewall, you may have to open the following ports and protocols in the
- Internet Key Exchange (IKE) - User Datagram Protocol (UDP) 500
- IPsec NAT-T - UDP 4500
- Encapsulating Security Payload (ESP) - Internet Protocol (IP) protocol 50
Supported scenarios using IPsec NAT-T
The following scenarios will successfully allow for L2TP/IPsec-based IPsec NAT-T
connections. In these scenarios, Client
is a client
that is running Windows 2000 and that has update 818043 installed or is a
Windows XP-based computer that has SP2 installed. Server
is an L2TP/IPsec server that is running Windows Server 2003 and that is using
Routing and Remote Access.
Client----> NAT ----Internet---->Server
The only supported and recommended scenario is when the Server
is not located behind a NAT device.
The L2TP/IPsec server may also be a third-party
gateway product that supports NAT-T connections. Note
If you apply update 818043 to a Windows 2000-based server
that is using Routing and Remote Access, the server cannot function as an
L2TP/IPsec server in this scenario. It cannot allow for connections from
L2TP/IPsec clients that are behind one or more NAT devices. This update is a
client-side update only. Server-side IPsec NAT-T functionality is a new feature in
Windows Server 2003 Routing and Remote Access only. IPsec NAT-T server-side support
will not be added to Windows 2000 Routing and Remote Access.
Diffie-Hellman Group 2048 update
For L2TP/IPsec clients to negotiate and use the Diffie-Hellman Group 2048 update, the remote access server being
contacted must also support this group.Note
To use Diffie-Hellman 2048, if your computer is running Windows
Server 2003, you must create a registry subkey. To do this, follow these steps:
- Click Start, click Run,
type regedit, and then click
- Locate and then click the following registry subkey:
- On the Edit menu, point to
New, and then click DWORD Value.
- Type NegotiateDH2048, and then press
- Right-click NegotiateDH2048, and then
- In the Value data box, type
1, and then click OK.
- On the Registry menu, click
- IPsec offload hardware
IPsec offload network adaptors do not offload security
associations that were created by using NATs.
- New features are not displayed correctly
New features that were enabled by using a Windows Server 2003
IPsec policy may not be correctly displayed in the IPsec monitor. Most notably,
the DH2048 group is displayed as 268435457, and dynamic-filter names (for
example, WINS or DHCP) are not displayed at all (the column is
- The IKE component of the Windows implementation of IPsec
uses an extended Winsock API function whose function pointer is determined by
calling WSAIoctl(). If this function call cannot pass through any
installed Layered Service Provider (LSP), IPsec cannot listen on the IKE port.
IPsec interprets this as a failure of the component and reacts accordingly
(that is, a "Fail to a Secure Mode" message is returned). The IKE component's
inability to pass through an LSP may be caused by an installed third-party
Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. To change the IPsec NAT-T behavior for a computer that is
running Windows XP SP2, you must create the
By default, Windows XP SP2 no longer
supports IPsec NAT-T security associations to servers that are located behind a
network address translator. Therefore, if your virtual private network (VPN)
server is behind a network address translator, by default, a Windows XP
SP2-based VPN client cannot make a L2TP/IPsec connection to the VPN server. This scenario includes a VPN server
that is running Microsoft Windows Server 2003.
This default behavior
can also prevent computers that are running Windows XP SP2 from making Remote
Desktop connections with L2TP/IPsec when the destination computer is located
behind a network address translator.
Because of the way that network
address translators translate network traffic, you may experience unexpected
results when you put a server behind a network address translator and then use
IPsec NAT-T. Therefore, if you require IPsec for communication, we recommend
that you use public IP addresses for all servers that you can connect to
directly from the Internet.
To create and configure the
registry value, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry
- On the Edit menu, point to New, and then
click DWORD Value.
- In the New Value #1 box, type
AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
- Right-click AssumeUDPEncapsulationContextOnSendRule,
and then click Modify.
- In the Value Data box, type one of the following values:
- 0 (default)
A value of 0 (zero) configures Windows
so that it cannot establish security associations with servers that are located
behind network address translators.
A value of 1 configures Windows so that it can
establish security associations with servers that are located behind network
A value of 2 configures Windows so that it can
establish security associations when both the server and the Windows XP
SP2-based client computer are behind network address translators.
- Click OK, and then quit Registry Editor.
- Restart the computer.
Windows XP service pack information
This feature is available in the latest service pack for Windows XP (SP2). For more information, click the following article number to view the article in the Microsoft Knowledge Base:
How to obtain the latest Windows XP service pack
Windows 2000 Update
To download this update for Windows 2000, go to the following Microsoft website to use the Microsoft Update Catalog:
Search for the ID number of this article by using the Advanced Search Options feature in the Microsoft Update Catalog. To do this, follow these steps:
- On the Microsoft Windows Update website, click Find updates for Microsoft Windows operating systems.
- Click to select your operating system and language, and then click Advanced Search.
Note You must select either Windows 2000 Professional Service Pack 3 or Windows 2000 Professional Service Pack 4. If you select a different operating system, the update is not returned in the search.
- In the Contains these words box, type 818043, and then click Search.
For more information about how to download
updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:
How to download updates that include drivers and hotfixes from the Windows Update Catalog
This update package is designed to be installed on computers that
are running Windows 2000 with Service Pack 3 (SP3) or later versions.
This update package requires that you restart your computer to
enable the new IPsec features.
Update replacement information
This update does not replace any other updates.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone
tab in the Date and Time tool in Control Panel.
Date Time Version Size File name
18-Sep-2000 19:01 5.0.2195.1569 33,616 Fips.sys
21-Apr-2003 15:19 5.0.2195.6738 80,848 Ipsec.sys
21-Apr-2003 15:19 5.0.2195.6738 29,456 Ipsecmon.exe
21-Apr-2003 15:21 5.0.2195.6738 390,928 Netdiag.exe
01-May-2003 21:39 5.0.2195.6738 417,552 Oakley.dll
01-May-2003 21:39 5.0.2195.6738 96,528 Polagent.dll
01-May-2003 21:39 5.0.2195.6738 137,488 Polstore.dll
01-May-2003 21:39 5.0.2195.6738 58,128 Rasman.dll
01-May-2003 21:39 5.0.2195.6738 153,360 Rasmans.dll
01-May-2003 21:39 5.0.2195.6738 54,032 Rastapi.dll
21-Apr-2003 15:19 5.0.2195.6738 80,848 Ipsec.sys (56-bit)
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
How to troubleshoot TCP/IP connectivity with Windows XP
IPsec troubleshooting in Microsoft Windows 2000 Server
naming schema for Microsoft Windows software update packages