I need to set up encrypted connection between two 2008 servers using IPsec policies but I have some routers with NAT enabled between them. Is there any way and how can I configure IPsec ESP encapsulation to UDP?

http://support.microsoft.com/kb/926179http://en-us.sysadmins.lv

Vadim, thanks for reply. Basically I was thinking about non L2TP/IPsec connection, I mean non-VPN IPsec transport or tunnel connection. With L2TP/IPsec it's pretty much clear and transparent, so no needs for configuration. That's strange but I cannot find any mention about NAT-T and IPsec secured connection configured using IPsec policies. Thanks again.

Hi bokashovv, If you want to IPsec connection cross NAT then need set forward IPsec NAT-T operates on UDP:4500 to windows sever 2008 host on routers of both sides. But for routing and requirements in future, using L2TP/IPsec connection is a more recommend method to achieve the goal. For background information please take look the article below: IPSec NAT Traversal Overview http://technet.microsoft.com/en-gb/library/bb878090.aspx Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I really appreciate your help, thanks. It turned to be a little different issue; I need to force IPsec encapsulation to UDP with no NAT between machines. Can I make it happen? To make it clear; it’s EC2 internal network where only TCP, UDP and ICMP are allowed and I need to establish IPsec connection between two machines.

Hi bokashovv, If EC2 network supports TCP,UDP and ICMP , you might like refer to the article below to implement the IPsec communication between two hosts: Step-by-Step Guide to Internet Protocol Security (IPSec) http://technet.microsoft.com/en-us/library/bb742429.aspx Configure IPsec filer to restrict only UDP could pass through should achieve the goal: Configure advanced IPSec filter settings http://technet.microsoft.com/en-us/library/cc780534(WS.10).aspx Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, I'm still missing the answer: ESP is NOT supported on EC2 network so I need to encapsulate it to TCP, UDP or (such obviously not possible at all) to ICMP; TCP also questionable as I'm not aware about any way to make it. So we have UDP only option and it may be done by RFC 3948 - UDP encapsulation of IPsec ESP packets. This is supported by Windows, and we know it doesn't required any additional configuration as NAT will be automatically detected on one or both ends in case we use L2TP/IPsec (may require registry edit). As we see (info above) it also may be done for end-to-end IPsec if we set up UDP 4500 port forwarding to IPsec node on each NAT router (personally I didn't try it); But how we can force ESP to UDP encapsulation if we don't have any NAT between IPsec nodes? Sorry for stupidity, but I don't see how I can accomplish it using IPsec filter.

Bokashovv, I’m still not sure exactly what you are looking for. Could you please clarify what exactly you are trying to accomplish by implementing IPsec? And, by EC2 network are you referring to Amazon’s Elastic Compute Cloud? As far as IPsec itself, IPsec negotiates a secure connection using UDP Port 500. If there is a NAT device between the endpoints then this will be determined within the first four message of the Main Mode negotiation at which point the conversation will change to UDP port 4500. Also protocol 50 and 51 will need to be allowed. This is importance if there is a device, such as a firewall, between the endpoints. If the device is doing NAT then protocol 50 will need to be allowed for ESP, AH is not used with NAT. If the firewall is only routing traffic then Protocol 51 will also need to be allowed for AH. Could you please clarify what you mean by “ESP is NOT supported on EC2 network so I need to encapsulate it to TCP, UDP or (such obviously not possible at all) to ICMP;”? ESP is part of the IPsec protocol. The Hash and Encryption methods used for ESP are negotiated during the IPsec negotiation. So you could not encapsulate something using ESP outside of IPsec. Also if the EC2 network will not allow for ESP then this would be a limitation of the EC2 network. As far as protecting UDP traffic with ESP, UDP can be protected by IPsec by configuring the Protocol to protect in the IPsec policy and selecting UDP. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Clark Satter Microsoft Online Community Support

Tunneling the packet once after its been encrypted should work. You will have to work out the details though. IPSEC Tunnel packet with no ESP from GW1 to GW2 Client 1 - > GW1 ----------> GW2 -> Client 2 That said, the problem isnt exactly IPSEC, problem looks to be you want to add another layer of addresses to the top of IPSEC encrypted traffic.My replies are my personal opinion and cannot be construed to be official Microsoft response. Microsoft will not be responsible for any consequences of my replies.