The following excerpt is from Chapter 7 of the free e-book "The tips and tricks guide to securing Windows Server 2003" written by Roberta Bragg and available at Realtimepublishers.com. Click for the complete book excerpt series.
Remote access Q&A
Q: I set up a Windows 2000 virtual private network (VPN) for use by our salesmen to connect to the corporate LAN. It worked fine at first, but we had a security review, and the experts advised us to change the VPN protocol from Point-to-Point Tunneling Protocol (PPTP) to Layer 2 Tunneling Protocol (L2TP)/IPSec and change our authentication method to certificates. It seems to work in my test lab, but when I put it into production, I cannot get it to work. In addition, we must be accessible to Windows 98 clients. Will upgrading our Routing and Remote Access Service (RRAS) server to Windows .NET solve this problem?
A: From what you're saying, I suspect that your environment uses Network Address Translation (NAT). As you know, NAT modifies the IP source address of all packets. Although this behavior does not cause a problem for Point-to-Point Tunneling Protocol (PPTP), your original VPN protocol, it does cause a problem for Layer 2 Tunneling Protocol (L2TP)/IPSec. In essence, IPSec sees the packet manipulation performed by NAT as tampering and drops the packet. This behavior is not a design flaw in the Windows 2000 (Win2K) implementation of L2TP/IPSec, but rather a lack of NAT-related direction on the part of the standard, and the Win2K implementation is written to the standard. The short answer to your question about upgrading to Windows .NET is maybe. There is an emerging standard for NAT-Traversal that Microsoft has indicated will be supported by Windows .NET. However, we are talking about an emerging standard and an operating system (OS) that, as I write this, has not yet shipped.
You should spend some time investigating this issue on three fronts. First, some non-NAT related issues of virtual private network design have an impact on L2TP/IPSec implementations. Second, understanding the L2TP/IPSec implementation as it stands now and the problems that NAT can cause is important. If this is your problem, you will want to be able to document it. There is no sense getting in an argument over the security evaluation results. It is not always possible to implement the preferred solution, but you'll want to have valid reasons why you can't. Finally, you should understand the emerging standard for NAT-Traversal, as it might be an option you want to pursue.
Click for the next excerpt in this series: VPN design issues for L2TP/IPSec.