I got a strange request in a Slack channel the other day. A colleague in South Africa, who uses Windows, was unable to connect to our VPN (Virtual Private Network).
We use the built-in VPN on Windows Server 2012 R2, which makes it extremely convenient to manage per-user security without opening up the firewall for the entire world to connect to the server with RDP (Remote Desktop Protocol).
The reason this is a strange request is that I have a MacBook Pro, and creating a VPN connection couldn’t have been easier for me. Another colleague also has an Apple laptop, so of course they’re not affected either.
After searching online, I discovered this inconspicuous post on Spiceworks.
The answer is to create a key in the Windows 10 client registry, that enables IPSec NAT Traversal (I know, right?).
The Spiceworks post links to Microsoft KB article 926179, which says to add the following key to your Windows 10 registry:
- Branch:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
- Key:
AssumeUDPEncapsulationContextOnSendRule
- Type:
DWORD (32-bit)
- Value:
2
According to the KB article, a value of 2 “configures Windows so that it can establish security associations when both the server and the […] client computer are behind NAT devices.”
This same registry tweak works on Windows Vista. Given that it also works on a Windows 10 client, it seems safe to assume that it works on Windows 7 and 8.x. There is even a similar registry entry for Windows XP. Go figure.
Yet another problem solved by someone else. Thanks, Gareth4146.
Photo by Robert Hickerson on Unsplash