VPN using L2TP not working over NAT

I am setting up a windows2003 server as a VPN Server. When I try to connect from a Windows XP system over a Dial up modem everything works fine. However when I try to connect from behind a Broadband router I get the following error Error 788: The L2TP connection attempt failed because the security layer could not negotiate compitable parameters with the remote computer.
I am using a preshared secret instead of a certificate. PPTP works fine even behind the nat device. Ahy ideas what the problem could be?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you using IPSEC?  Check your VPN end-points to see where it is located with the broadband setup.  Your VPN tunnel end points for the dial-up is computer to computer, so this is not a problem.  

Your scenario of broadband:  NAT is incompatible with IPSEC

Make your broadband router your end point for IPSEC - that way you don't deal with NAT.  Also check your security association (SA) on the broadband and make sure that you have a matching SA on the other end.

Please provide more information on your VPN setup.

Your problem is due to the fact that the server receives the connection from the broadband router, but when negotiating IPSec it finds a different address (the NATed Address).

What you should do is find out a way to tell your client to negotiate IPSec with the external address of the router.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

saunders4tomAuthor Commented:
My client is the standard VPN client shipped with WindowsXP Service pack one. The way it won't work is when I am behind a broadband router. My XP system will have a private IP address using the Broadband router as a NAT device.
I know microsoft released a patch in May 2003 to improve the way XP handeled NAT with IPSEC/L2TP. However the next day they pulled the patch from their site as it caused a lot of users to loose internet access. It seems like it had some bugs. I am not sure if the XP VPN client has the ability to handel NAT. Does anyone know if their is a new patch from microsoft to make it work. I couldn't find one.
How do I tell the MS VPN CLient to negotiate IPSec with the external address of the router?
I know that my boradband router can handel IPSec as I can use checkpoints vpn client with a checkpoint vpn server with no problems.
I need the Microsoft VPN client to work behind NAT as I plan to roll it out to our remote users. When I use PPTP it works fine from behind a NAT device
If you are planning to roll it out to remote users (remote office - I presume) - why not make the router the end-point - instead of managing many client end-points.  One end-point is one maintenance point for security association change.  All traffic going from branch to HQ can be selectively encrypted and tunnel....

I don't know if MS pulled it because of a bug.  I think you are talking about this - it contains a link to the update that you are looking for as well as instruction for implementation:


Many companies tried go around the way IPSEC and NAT work and ran into the source address being encrypted and then NAT.  When IPSEC authenticate the source address in the IP header it fails.  MS is not doing anything new, other than creating VPN-end-points between the server and the client (bypassing the routers and everything in between).  Their end-points check for their patch and rework the NATted address to circumvent the incompatabilities.


So far, whenever I have encountered those problems the only solutions I have found are using the router as VPN endpoint or use a different software to establish the VPN connection.

I seem to remember that you can download intel VPN client for free from their website, but I can´t remember if it worked properly.
That's what I stated that in my first post.  We are in agreement here.

MS and others have been trying to circumvent the incompatability problem w/o much success because of the mirage of applications and theirs solutions NAT/PAT, FTP, Multimedia using multiple channels, etc....  Router End-points VPN is the way to go (one maintenance point).  

Hey, I proposed that, but Saunders4tom still want to try end-point to the clients.  It should work if the VPN on the router is disabled.  But think about the number of end-points and client PCs that you have to deal with if there is any problem on the PCs.  Heck, a client update something the VPN break and more head aches..... With router end-point - you don't need to muck with anyone's PC.

saunders4tomAuthor Commented:
The reason I need the end point to be the client laptops is that by remote office I mean home office. We have sales people all over the country that work from home and need network access. They also need access from hotels etc. Currently we us a Checkpoint VPN solution and wanted to move to a Microsoft solution.
Now we know your objective.... OK, the MS link I provided above should help you achieve your objective.

saunders4tomAuthor Commented:
Hi Gnart. The link below is one of many that talk about the problems with Microsofts IPSec patch talked about in the 818043 KB article in the link you posted. It also talks about the patch being pulled the following day.
When you go to the link you posted. http://support.microsoft.com/default.aspx?scid=kb;en-us;818043&Product=winxp
Microsoft say the patch is available and give no indication that there was ever a problem with it. However if you follow their instructions and attempt to download or locate the patch it is nowhere to be found. If you can locate this patch and post the actual download link I would appriciate it.
Hi, the download is still at Microsoft - I followed the direction on the article and found it.
Follow the following directions - obviously you can jump to the direct link:

1) I started with the link that I posted:

2) The above link leads you to the following:

3) Click on "Find Microsoft Updates" under Microsoft Update Catalog

4) Click on advance searched option to open up the advanced search option

5) select operating system Windows XP SP1 (the last on the list)
5a in "Contains these words" put in 818043
5b click "Search" - it will come back with one "Recommended Updates (1)"

6) Click on the "Recommended Updates (1)" and you will get
Download size: 771 KB
This update to internet Protocol Security Clients IPSec and L2TP/IPSec allows IPSec to work across Network Address Translation (NAT) boundaries. A client may connect to a Windows Server 2003 Server with IPSec or L2TP/IPSec when the client is behind one or more NATs. Users should download this update if they use IPSec and/or L2TP Virtual Private Network (VPN) connections. After you install this item, you may have to restart your computer.

7) Download the program - it's what you need.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.