secure traffic between windows 2003 server using the internet

Posted on 2005-05-03
Last Modified: 2010-08-05
just studying for exam 70-292 right now

when we need to secure the traffic using the internet  between 2 windows 2003 servers
and we use ipsec
can we use the ipsec / l2tp tunneling protocol ?
    (i thought this tunneling protocol could not pass routers but in some books they tell it can, i thought we had to use ipsec/pptp)

can someone explain it to me
Question by:karel_jespers
    LVL 12

    Expert Comment

    IPSEC can be routed through routers and firewall but it depends on how it is encapsulated.
    This similar problem arrises with VPN's using IPSEC where and VPN needs to go through a NAT (Network Address Translation) device.
    If the header of the packet is encrypted the device cannot read the info required to route it. If the IPSEC traffic uses a different method where only the data is encrpyted and not the header the packet can be read and passed through a router or NAT device and be deilvered to a NAT'ed network this is commonly know as aggresive mode, as it can go though NAT devices.
    If you can set a server to use this method "aggresive mode" (which I have not checked,but presume you can) then yes it can be routed
    LVL 6

    Author Comment

    Is it not that the header is encrypted in the ipsec /l2tp protocol and not encrypted using the ipsec/pptp so that the ipsec /pptp can be used over the internet where the traffic must pass lots of routers
    LVL 12

    Accepted Solution

    and here is your answer according to MS, and once again the real world is a bit diff to MS's ideas
    L2TP over IPSec and NAT -- NAT Traversal

    One of the issues with IPSec and hence VPNs using L2TP over IPSec is the inability to use them in natted environments. In a typical scenario, a VPN tunnel is used to provide access from outside the firewall to inside by opening the ports on the firewall used by the VPN. Both PPTP and L2TP over IPSec VPNs can be configured this way -- unless the firewall, router or other remote access device, which sits between the VPN client and the VPN server, uses NAT. The current IPSec standard does not address this issue, in fact, an implementation -- such as Win2K -- written to the standard, sees the NAT manipulation of the addressing as tampering and drops the packets.

    The problem with NAT comes about because the NAT device must translates the source address, and might assign a new source port to maintain a table to be used in routing replies back to the originating host. Here's what's happening: The NAT device modifies an outgoing packet by changing the real source address, the address of the sending client, to that of the Internet routable address provided to the NAT device. When packets from the Internet return to the NAT device, it is able to modify the destination address (which arrives using the Internet routable address assigned as the source address of the outgoing packet). How does it know the new source address to use? It knows because it keeps a table of sources addresses and ports mapped to the assigned source address and ports it replaced in outgoing packets. It is able to match the incoming packets and modify the destination address and port. However, because of the built-in security mechanisms of IPSec such tampering with the address is not allowed, hence the packets are dropped. This is why a Win2K to Win2K VPN that must pass through a NAT device can only use PPTP.

    Read the last line for your answer. as taken from,295582,sid45_gci1050215,00.html
    LVL 6

    Author Comment

    tks a lot

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
    Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now