Outsourced IT Support Services in Scotland

From the blog

PPTP and L2TP Port Forwarding

PPTP and L2TP Port Forwarding | VPN and NAT-T

Various times during remote access setup, customers have required configuration of Port Address Translation through NAT-T Devices (Gateway Routers/Firewalls etc…) onto Remote Access Servers (for example Windows RRAS with NPS).

Here’s the details you need to make the connection work, covering both port forwarding of PPTP and L2TP Ports:

PPTP

PPTP tunnel maintenance – TCP 1723
GRE – Protocol ID 47

(It’s advised to avoid using PPTP, it’s not secure)

L2TP over IPSec

L2TP traffic – UDP 1701
Internet Key Exchange (IKE) – UDP 500
IPSec Network Address Translation (NAT-T) – UDP 4500

The port forwarding setup is quite straightforward, as long as you know how to configure your NAT-T Device.  However one thing to consider is Windows Operating systems by default do not support NAT-T security associations to remote access servers that are located behind a NAT Device.

A small registry fix has to be applied as follows:

AssumeUDPEncapsulationContextOnSendRule registry key

  • Log on to the Windows computer as an Administrator.
  • Click Start, type regedit to find the Registry Editor. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
  • Locate and then click the following registry subkey:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  • On the Edit menu, point to New, and then click DWORD (32-bit) Value.
  • Type AssumeUDPEncapsulationContextOnSendRule, and then press Enter.
  • Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  • In the Value Data box, type one of the following values:
    • 0 – A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1 – A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2 – A value of 2 configures Windows so that it can establish security associations when both the Server and the Windows client computer are behind NAT devices.
  • Click OK, and then exit Registry Editor.
  • Restart the computer.