Learn how to a build a cloud-first strategyRegister Now


secure traffic between windows 2003 server using the internet

Posted on 2005-05-03
Medium Priority
Last Modified: 2010-08-05
just studying for exam 70-292 right now

when we need to secure the traffic using the internet  between 2 windows 2003 servers
and we use ipsec
can we use the ipsec / l2tp tunneling protocol ?
    (i thought this tunneling protocol could not pass routers but in some books they tell it can, i thought we had to use ipsec/pptp)

can someone explain it to me
Question by:karel_jespers
  • 2
  • 2
LVL 12

Expert Comment

ID: 13916954
IPSEC can be routed through routers and firewall but it depends on how it is encapsulated.
This similar problem arrises with VPN's using IPSEC where and VPN needs to go through a NAT (Network Address Translation) device.
If the header of the packet is encrypted the device cannot read the info required to route it. If the IPSEC traffic uses a different method where only the data is encrpyted and not the header the packet can be read and passed through a router or NAT device and be deilvered to a NAT'ed network this is commonly know as aggresive mode, as it can go though NAT devices.
If you can set a server to use this method "aggresive mode" (which I have not checked,but presume you can) then yes it can be routed

Author Comment

ID: 13917090
Is it not that the header is encrypted in the ipsec /l2tp protocol and not encrypted using the ipsec/pptp so that the ipsec /pptp can be used over the internet where the traffic must pass lots of routers
LVL 12

Accepted Solution

ColinRoyds earned 2000 total points
ID: 13917393
and here is your answer according to MS, and once again the real world is a bit diff to MS's ideas
L2TP over IPSec and NAT -- NAT Traversal

One of the issues with IPSec and hence VPNs using L2TP over IPSec is the inability to use them in natted environments. In a typical scenario, a VPN tunnel is used to provide access from outside the firewall to inside by opening the ports on the firewall used by the VPN. Both PPTP and L2TP over IPSec VPNs can be configured this way -- unless the firewall, router or other remote access device, which sits between the VPN client and the VPN server, uses NAT. The current IPSec standard does not address this issue, in fact, an implementation -- such as Win2K -- written to the standard, sees the NAT manipulation of the addressing as tampering and drops the packets.

The problem with NAT comes about because the NAT device must translates the source address, and might assign a new source port to maintain a table to be used in routing replies back to the originating host. Here's what's happening: The NAT device modifies an outgoing packet by changing the real source address, the address of the sending client, to that of the Internet routable address provided to the NAT device. When packets from the Internet return to the NAT device, it is able to modify the destination address (which arrives using the Internet routable address assigned as the source address of the outgoing packet). How does it know the new source address to use? It knows because it keeps a table of sources addresses and ports mapped to the assigned source address and ports it replaced in outgoing packets. It is able to match the incoming packets and modify the destination address and port. However, because of the built-in security mechanisms of IPSec such tampering with the address is not allowed, hence the packets are dropped. This is why a Win2K to Win2K VPN that must pass through a NAT device can only use PPTP.

Read the last line for your answer. as taken from

Author Comment

ID: 13943500
tks a lot

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question