DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 947234 - Last Review: August 18, 2009 - Revision: 2.0

On This Page

INTRODUCTION

This article describes registry entries that are useful in network address translation traversal (NAT-T) security associations in Windows Vista.

MORE INFORMATION

The AssumeUDPEncapsulationContextOnSendRule registry entry

The AssumeUDPEncapsulationContextOnSendRule registry entry can be applied to the Windows Vista operating system and to earlier operating systems. In Windows Vista, the entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
In earlier operating systems, the entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
If you update the operating system from Windows XP Service Pack 2 (SP2) to Windows Vista, the value of this registry entry and the default behavior do not change. Therefore, you do not have to reset the registry configuration to support servers that are hosted behind network address translation (NAT) devices.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
To modify the AssumeUDPEncapsulationContextOnSendRule registry entry, follow these steps:
  1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
  2. Click Start, type regedit in the Start Search box, and then press ENTER.

    Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  3. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
  4. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  5. In the Value Data box, type one of the following values:
    • 0

      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1

      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2

      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
  6. Click OK, and then exit Registry Editor.
  7. Restart the computer.

The IPsecThroughNAT registry entry

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
To modify this registry entry, follow these steps:
  1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
  2. Click Start, type regedit in the Start Search box, and then press ENTER.

    Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  3. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
  4. Right-click IPsecThroughNAT, and then click Modify.
  5. In the Value Data box, type one of the following values:
    • 0

      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1

      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2

      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008 VPN client computer are behind NAT devices.
  6. Click OK, and then exit Registry Editor.
  7. Restart the computer.
Also, you can run the following commands at a command prompt to modify this registry entry:
  • To set the value to 0, run the following command:
    netsh advfirewall set global ipsec ipsecthroughnat nerver
  • To set the value to 1, run the following command:
    netsh advfirewall set global ipsec ipsecthroughnat serverbehindnat
  • To set the value to 2, run the following command:
    netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat

REFERENCES

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
818043  (http://support.microsoft.com/kb/818043/ ) L2TP/IPsec NAT-T update for Windows XP and Windows 2000
885348  (http://support.microsoft.com/kb/885348/ ) IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators
926179  (http://support.microsoft.com/kb/926179/ ) How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista and in Windows Server 2008

APPLIES TO
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
Keywords: 
kbexpertiseadvanced kbinfo KB947234
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support