Does NAT break IPSec?

I am trying to find a way to securely handle Microsoft Active Directory replication as well as other Microsoft networking traffic between 2 Windows Server 2003 systems.  Ordinarily I would set up a site to site VPN using SonicWall or NetGear devices.  However, I can't in this situation because one of my servers is a virtual server that is hosted at Triple8 networks.  Thus, I have no way of deploying my own hardware based VPN.

I thought the best way to do this would be to set up IPSec Rules and Security Associations to handle all traffic between the 2 systems.  When the policies and rules are disabled, I can successfully ping back and forth between the 2 systems which tells me that I have successfully set up the firewall rules on the side that I can control.

When I enable the policies and launch ping from the command prompt, I just see the message NEGOTIATING SECURITY over and over.  When I examine the logs on both sides, I see several 541, 542, and 543 messages indicating successful starting and ending of security associations.  I have actually tried numerous systems including Windows XP with different firewalls and networks and observed similar results.

The only system with its own direct public ip address is my virtual server at Triple 8.  The other systems that I have tried are all behind firewalls and are NAT'd.

Any thoughts as to why I cannot get this to actually work? Is there a better way to accomplish my goal?

Thank you,

Angela
amozartAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dj_relentlessCommented:
It can work from behind nat but not all nat's are equal. I've seen to work and not work depending on the hardware.
So in your situation you could put a test server on the dmz of your network and test it. Then at least you will know which side is causing the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
StefanKittelCommented:
Hello,

in general NAT modifies the destination and/or source of the packet so IPSec throws the packet away because it is modified.
Many NAT-router have a IPSEC-passthrough. But not all and not for all situations.

Because you can't remove or modify the NAT-Router your possibilites are limited.

May be you can use a different vpn software to connect. maybe openvpn.

Stefan
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.