Cisco Cisco IOS Software Release 12.3(11)T
R E V I E W D R A F T — C I S C O C O N F I D E N T I A L
L2TP—IPSec Support for NAT and PAT Windows Clients
Information About L2TP—IPSec Support for NAT and PAT Windows Clients
3
Cisco IOS Release 12.3(11)T4 and Release 12.4(1)
Note
If you do not have IPSec enabled, or you do not have a NAT or PAT server, you can have multiple
Windows clients connect to a LNS without this command enabled.
Windows clients connect to a LNS without this command enabled.
Without L2TP—IPSec Support for NAT and PAT Windows Clients Feature Enabled
For example,
shows two Windows 2000 clients that are trying to connect to the end host through
the router running NAT or PAT and the same Cisco IOS LNS router. IPSec is enabled.
Figure 1
Multiple Windows 2000 Clients, NAT Router, and Cisco IOS LNS Router with IP
Addresses
Addresses
The Windows 2000 Client #1 establishes an IPSec-protected L2TP tunnel to the Cisco IOS LNS router.
The Windows 2000 client and the Cisco IOS LNS router recognize that there is a router running NAT
between them and IPSec and NAT-Traversal (NAT-T) are enabled. The Windows 2000 client attempts to
establish an IPSec security association (SA) and requests transport mode (which it does by default) with
proxies from 10.0.0.2, its local address, to 209.265.200.231, the Cisco IOS LNS router’s address.
The Windows 2000 client and the Cisco IOS LNS router recognize that there is a router running NAT
between them and IPSec and NAT-Traversal (NAT-T) are enabled. The Windows 2000 client attempts to
establish an IPSec security association (SA) and requests transport mode (which it does by default) with
proxies from 10.0.0.2, its local address, to 209.265.200.231, the Cisco IOS LNS router’s address.
In transport mode NAT, running on the router, translates all outgoing connections (including 10.0.0.2)
to its outside IP address (209.265.200.232),the address the traffic will come in on. However, NAT cannot
modify the L2TP port designation (1701), which is protected by the IPSec encrypted area. So now, we
have a local address of 209.265.200.231, a remote address of 209.265.200.232 and a remote port of 1701.
All traffic is sent to the Windows 2000 Client #1 that matches the tunnel 209.265.200.231, port 1701.
to its outside IP address (209.265.200.232),the address the traffic will come in on. However, NAT cannot
modify the L2TP port designation (1701), which is protected by the IPSec encrypted area. So now, we
have a local address of 209.265.200.231, a remote address of 209.265.200.232 and a remote port of 1701.
All traffic is sent to the Windows 2000 Client #1 that matches the tunnel 209.265.200.231, port 1701.
Then Windows 2000 Client #2 establishes an IPSec-protected L2TP tunnel to the Cisco IOS LNS router,
again in transport mode. And NAT, again, translates all outgoing connections to its outside IP address
(209.265.200.232), but it cannot modify the L2TP port designation (1701). All traffic is now sent to
Windows 2000 Client #2 that matches tunnel 209.265.200.231, port 1701. This second Windows client
connection has effectively ended Windows Client #1’s connection to the Cisco IOS LNS router since it
is no longer receiving traffic.
again in transport mode. And NAT, again, translates all outgoing connections to its outside IP address
(209.265.200.232), but it cannot modify the L2TP port designation (1701). All traffic is now sent to
Windows 2000 Client #2 that matches tunnel 209.265.200.231, port 1701. This second Windows client
connection has effectively ended Windows Client #1’s connection to the Cisco IOS LNS router since it
is no longer receiving traffic.
With L2TP—IPSec Support for NAT and PAT Windows Clients Feature Enabled
With the L2TP—IPSec Support for NAT and PAT Windows Clients feature enabled, IPSec can translate
the L2TP ports after decryption. This feature allows IPSec to map traffic from different hosts to different
source ports. L2TP can now distinguish between traffic destined for multiple Windows 2000 clients.
the L2TP ports after decryption. This feature allows IPSec to map traffic from different hosts to different
source ports. L2TP can now distinguish between traffic destined for multiple Windows 2000 clients.
So now, when an SA is created, a translated port will be assigned to it. This port is client-specific. The
same port will be used for any new SA created by that client. When an encrypted request is received and
decrypted, the source port is translated from the standard value, 1701, to a client specific value. The
request with the translated port is then forwarded to L2TP.
same port will be used for any new SA created by that client. When an encrypted request is received and
decrypted, the source port is translated from the standard value, 1701, to a client specific value. The
request with the translated port is then forwarded to L2TP.
10.0.0.2
10.0.0.3
Windows 2000
Client #1
Windows 2000
Client #2
Inside
Router
running NAT
(or PAT)
Cisco IOS
LNS router
End host
Outside
10.0.0.1
209.265.200.232
209.265.200.231
135045