• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

secure traffic between windows 2003 server using the internet

just studying for exam 70-292 right now

when we need to secure the traffic using the internet  between 2 windows 2003 servers
and we use ipsec
can we use the ipsec / l2tp tunneling protocol ?
    (i thought this tunneling protocol could not pass routers but in some books they tell it can, i thought we had to use ipsec/pptp)

can someone explain it to me
  • 2
  • 2
1 Solution
IPSEC can be routed through routers and firewall but it depends on how it is encapsulated.
This similar problem arrises with VPN's using IPSEC where and VPN needs to go through a NAT (Network Address Translation) device.
If the header of the packet is encrypted the device cannot read the info required to route it. If the IPSEC traffic uses a different method where only the data is encrpyted and not the header the packet can be read and passed through a router or NAT device and be deilvered to a NAT'ed network this is commonly know as aggresive mode, as it can go though NAT devices.
If you can set a server to use this method "aggresive mode" (which I have not checked,but presume you can) then yes it can be routed
karel_jespersAuthor Commented:
Is it not that the header is encrypted in the ipsec /l2tp protocol and not encrypted using the ipsec/pptp so that the ipsec /pptp can be used over the internet where the traffic must pass lots of routers
and here is your answer according to MS, and once again the real world is a bit diff to MS's ideas
L2TP over IPSec and NAT -- NAT Traversal

One of the issues with IPSec and hence VPNs using L2TP over IPSec is the inability to use them in natted environments. In a typical scenario, a VPN tunnel is used to provide access from outside the firewall to inside by opening the ports on the firewall used by the VPN. Both PPTP and L2TP over IPSec VPNs can be configured this way -- unless the firewall, router or other remote access device, which sits between the VPN client and the VPN server, uses NAT. The current IPSec standard does not address this issue, in fact, an implementation -- such as Win2K -- written to the standard, sees the NAT manipulation of the addressing as tampering and drops the packets.

The problem with NAT comes about because the NAT device must translates the source address, and might assign a new source port to maintain a table to be used in routing replies back to the originating host. Here's what's happening: The NAT device modifies an outgoing packet by changing the real source address, the address of the sending client, to that of the Internet routable address provided to the NAT device. When packets from the Internet return to the NAT device, it is able to modify the destination address (which arrives using the Internet routable address assigned as the source address of the outgoing packet). How does it know the new source address to use? It knows because it keeps a table of sources addresses and ports mapped to the assigned source address and ports it replaced in outgoing packets. It is able to match the incoming packets and modify the destination address and port. However, because of the built-in security mechanisms of IPSec such tampering with the address is not allowed, hence the packets are dropped. This is why a Win2K to Win2K VPN that must pass through a NAT device can only use PPTP.

Read the last line for your answer. as taken from
karel_jespersAuthor Commented:
tks a lot
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now