We were running a Linux virtual machine in NAT mode using VMware under Windows XP. Port forwarding was enabled for UDP ports 500 and 4500 in the VM. The remote OpenSwan server was not behind NAT but had NAT-T support enabled in ipsec.conf. The IPsec VPN worked fine when the host computer was behind a cable/DSL modem directly or behind a broadband router. However, the setup did not work under Vista. The VPN was started. But as we observed using Wireshark, after receiving packets from the VPN server, Vista would not forward the packets back to the virtual NAT router (VMnet8). As a workaround, we enabled Internet Connection Sharing (ICS) under Vista and used VMnet8 as the client. Now the VPN worked. We tested this using VirtualBox and the same problem occurred, the VPN worked when the host OS was XP but did not work when the host OS was Vista. So it was not caused by VMware but by Vista. Due to certain reasons, we must run the VM in NAT mode instead of bridged mode. It seems something was changed in Vista to improve security. I am wondering if there is a magic registry key or a command line tool which can disable the new improvement in Vista so that we do not need to depend on ICS. Is it possible to set up/view ICS using a command line utility like netsh or any other tool? I did check the following site but it did not help: http://www.jacco2.dds.nl/networking/vista-openswan.html#NAT-T Thanks very much!

Hi,Why would you be running a VPN server virtually on a Client machine?What Vista version did you install? Victor Constantinescu - MVP Security, MCTS

We used Vista Business SP1.The VPN (OpenSwan) server was not on the client machine. The VPN server was on a remote machine with a public IP. The client machine is a CentOS virtual machine hosted by VMware under Windows. The client machine was behind a virtual NAT router (VMnet8).When the host OS was Windows XP, the VPN connection worked without any problem. We needed to forward UDP ports 500 and 4500 to the VM because IPsec packets were encapsulated inside UDP packets. There was no need to set up ICS.When the host OS was Vista, we must set up ICS. If we did not, the VPN connection was still established according to the server logs. However, when we pinged the server from the client, the server would receive packets through the VPN connection and respond. But Vista would not forward the packets from the server back to the VM. This is the difference between Vista and XP.We were wondering why.Can ICS be set up through command line under Vista?Thanks.