Special Configuration For Windows Xp Client; Windows Xp Vpn Client Configuration - Motorola WS5100 Series Migration Giude

• The IPSec Authentication Header protects entire IP packets including IP headers, against modification in
transit. NAT will modify the IP header so inherently NAT is incompatible with AH.
• The IPSec Encapsulating Security Payload (ESP) usually encrypts IP packets. NAT modifies TCP and UDP
ports, but clearly can't do so when the packet is encrypted. Hence NAT is incompatible with ESP.
The solution to over come this problem is UDP encapsulation. In this approach the IPSec packet is
encapsulated in an UDP/IP header which lets NAT do their thing. This works for IPSec ESP. ESP encapsulated
packets are exchanged between IKE peers. The peers must support the same method of UDP ESP
encapsulation. IKE peers will exchange a known value to determine whether they both support NAT traversal
(UDP Encapsulation). if the IKE peers agree, they use IKE probes or discovery payloads to determine whether
NAT is being applied at some point between them. Only when IKE peers agree and NAT is encountered UDP
encapsulation is used. IKE peers communicate over UDP port 500, UDP encapsulated ESP communicates on
the same port. It ensures that IKE and UDP encapsulated ESP packets are subjected to the same mid-stream
address translation. The sender indicates that an encapsulated packet follows by setting the first 8 bytes of
UDP payload to zero. These bytes overlap the IKE initiator cookie field, for which zero is an invalid value.
Thus, implementations can use these bytes to discriminate between the IKE and UDP-encapsulated ESP
arriving on port 500. Because only peers that agree will ever send UDP-encapsulated ESP packets.
In hide NAT private IP address and source port are temporarily bound to a shared public IP address and a used
port. A timeout dissolves this binding after seconds or minutes of inactivity, enabling hide NAT pool reuse.
IPSec VPN's protect traffic exchanged between mutually authenticated endpoints. For NAT traversal to work,
end points cannot be dynamically remapped mid-session. To preserve dynamic NAT bindings for the life of
an IPSec session, a one byte UDP "keepalive" may be used.

11.4 Special Configuration for Windows XP Client

Follow the CLI commands mentioned below, to configure an Windows XP client to VPN gateway. This is in
addition to what is described in
configure the transform-set:
1. The transform-set to use should be set to esp-3des esp-sha-hmac and mode should be set to transport.
This is the transform-set that Windows XP client uses and is pre-configured. If this is not set correctly on
the switch then algorithm/encapsulation mismatch error will appear during IPSec negotiations.
WS5100(config)#crypto ipsec transform-set xyz esp-3des esp-sha-hmac
WS5100(config-crypto-ipsec)#mode transport
2. Under crypto map, set the remote-type to
WS5100(config)#cr map mode 10 ipsec-isakmp dynamic
WS5100(config-crypto-map)#set remote-type ipsec-l2tp
WS5100(config-crypto-map)#set transform-set xyz
NOTE: aes-192 and aes-256 is not supported with Windows XP client.

11.4.1 Windows XP VPN Client Configuration

To configure VPN Client running on Windows XP, you need to set:
• VPN connection and
Configuring for Remote VPN
ipsec-l2tp
Client. Follow the steps mentioned below to
. An e.g. is given below.
11-13
VPN