7

I'm working on upgrading an old Windows RAS server that hosts PPTP VPN. I want to move to a L2TP/IPsec VPN.

Due to the firewall appliance we use, the VPN server has to be behind a NAT. This means in order for L2TP/IPsec to work, I need to enable/configure NAT-T on the client and server.

However, NAT-T functionality is disabled in Windows versions following XP SP2. This is apparently due to security concerns from Microsoft. It seems to indicate traffic sent using NAT-T can end up being sent to an incorrect destination.

IPSec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators

There is some further discussion of the security impact here, with no real conclusion on benefit vs. risk.

NAT Traversal (NAT-T) Security Issues

My questions:

  1. Is using L2TP/IPsec VPN over NAT-T actually insecure, or is this only a theoretical risk?
  2. Is there any reason to NOT use L2TP/IPsec+NAT-T as a replacement for a PPTP VPN?
jlehtinen
  • 193
  • 5

1 Answers1

2

Is using L2TP/IPsec VPN over NAT-T actually insecure, or is this only a theoretical risk?

Microsoft says Yes and No:

Yes in case this scenario applies on you:

  1. A network address translator is configured to map IKE and IPSec NAT-T traffic to a server on a NAT-configured network. (This server is Server 1.) The network address translator mappings are the ones that we recommend in this article.
  2. A client from outside the NAT-configured network uses IPSec NAT-T to establish bidirectional security associations with Server 1. (This client is Client 1.)
  3. A client on the NAT-configured network uses IPSec NAT-T to establish bidirectional security associations with Client 1. (This client is Client 2.)
  4. A condition occurs that causes Client 1 to reestablish the security associations with Client 2 because of the static network address translator mappings that map IKE and IPSec NAT-T traffic to Server 1. This condition may cause the IPSec security association negotiation traffic that is sent by Client 1 and that is destined for Client 2 to be misrouted to Server 1

Although this is an uncommon situation, the default behavior on Windows XP SP2-based computers prevents any IPSec NAT-T-based security associations to servers that are located behind a network address translator to make sure that this situation never occurs.

Note that this recommendation still exist in recent Mircrosoft Windows operating system versions ( Windows 7, 8, 10)

No, in case you are sure this scenarion does not apply in your case.

Is there any reason to NOT use L2TP/IPsec+NAT-T as a replacement for a PPTP VPN?

If you choose IPSec tunneling it means need to protect the confidentiality and integrity of the data but also assure the authenticity of the sender. Combining this with NAT protocol is somehow contradicting your goal as the NAT may forward the responses/requests to the wrong IP address.

An other technical problem is that:

NAT isn’t able to use the port numbers in TCP and UDP headers to multiplex packets to multiple internal computers when those headers have been encrypted by ESP