I have now received the official response from Simon Conant, MCSE Security Programme Manager for Microsoft. The problems stems from when downloaded the L2TP/IPSec NAT-T Update for Windows XP (Q818043) from Windows Update (which has now been removed).

According to Simon the update was a feature add - to run WindowsXP clients using the IPSEC security protocol with NAT translation.
    Microsoft has released an update package to enhance the current functionality of the Layer Two Tunneling Protocol (L2TP) and Internet Protocol security (IPSec) on computers that are running Windows XP or Windows 2000. This update includes improvements to IPSec to better support virtual private network (VPN) clients behind network address translation (NAT) devices by implementing NAT as specified in the Internet Engineering Task Force (IETF) RFC 3193 and draft-02 of the IETF NAT-T specification. The update also includes additional support for stronger IPSec protection by using the 2048-bit Diffie-Hellman algorithm (Group 14).
IPSEC listens on UDP port 500 and UDP port 4500, if a none-Microsoft application or firewall is using the port -or- is being blocked by personal firewall even if the ports are opened by configuring the Personal firewalls advanced options - this problem may occur.

Although this problem may seem like a error, it is in-fact just IPSEC using its default security setting, which is to make the connection safe. But in this case it can unfortunately cause loss of internet functionality.

You can un-install this update via Add/Remove (control panel) as well as being able to call Microsoft Support.

View: L2TP/IPSec NAT-T Update for Windows XP and Windows 2000
View: Original Neowin story - Microsoft yanks a bad Windows patch

NAT-T and Firewall Rulesets
Because the new NAT-T code is designed around the IETF RFC 3193 and draft-02 of the IETF NAT-T specification, for these services to run through a firewall, you must open the following ports in the firewall rules:
  • L2TP – User Datagram Protocol (UDP) 500, UDP 1701
  • NAT-T – UDP 4500
  • ESP - Internet Protocol (IP) protocol 50

    Note: This may affect server configurations for third-party gateways.


    • There are 32 additional comments
    Advertisement
    Quote this comment Reply to this comment #1 Posted by Avenger on 28 May 2003 - 18:39
    QUOTE
    You can unstall this update via Add/Remove (control pannel) as well as being able to call Microsoft Support.


    I'm guessing you mean Uninstall.
    (1 reply) Quote this comment Reply to this comment #2 Posted by Voodoo on 28 May 2003 - 18:41
    lol yeh i've sorted the spelling sorry.
    Quote this comment #2.1 Posted by Avenger on 28 May 2003 - 18:43
    That was fast. I was just bored, that's all.
    (1 reply) Quote this comment Reply to this comment #3 Posted by XP-RTM on 28 May 2003 - 18:41
    Why would anyone like to install this crap when is going to cause loss of internet functionality or make your computer slow as hell?
    Quote this comment #3.1 Posted by Voodoo on 28 May 2003 - 18:45
    QUOTE (#3.0 by )
    Why would anyone like to install this crap when is going to cause loss of internet functionality or make your computer slow as hell?

    the update was a feature add - to run WindowsXP clients using the IPSEC security protocol with NAT translation.
    Quote this comment Reply to this comment #4 Posted by creamhackered on 28 May 2003 - 19:08
    This is a good reason why patches need to be tested externally. I think Microsoft are considering this at the moment.
    (13 replies) Quote this comment Reply to this comment #5 Posted by angelic999 on 28 May 2003 - 19:16
    He he ... Then let people from Neowin or OSBetas help MS out
    Sure would be nice to see what you guys would say about their updates.
    Quote this comment #5.1 Posted by Jason on 28 May 2003 - 19:33
    I wouldn't trust about three quaters of the people here and their uneducated responces.

    Last edited by 9969 on 28 May 2003 - 19:40
    Quote this comment #5.2 Posted by creamhackered on 28 May 2003 - 19:52
    I wouldn't trust you with a pen and paper
    Quote this comment #5.3 Posted by Jason on 28 May 2003 - 19:56
    I wouldn't trust you with a piece of toilet paper to wipe your own ass.

    Last edited by 9969 on 28 May 2003 - 20:15
    Quote this comment #5.4 Posted by XP-RTM on 28 May 2003 - 20:01
    Jason you are offending neowin you know that?
    Quote this comment #5.5 Posted by creamhackered on 28 May 2003 - 20:04
    Jason, Jason, Jason; at least learn the English language, basic punctuation and correct grammar before giving the big "I am 10 years older than everyone here" speech along with the "Everyone here is stupid because I am 10 years older than them". If you learn to spell correctly and form structured sentences it might make your flaming comments a bit better.
    Quote this comment #5.6 Posted by Jason on 28 May 2003 - 20:05
    No more pathetic than you, you are so far up your own ass its embarrassing.

    Quote this comment #5.7 Posted by XP-RTM on 28 May 2003 - 20:06
    I know Jason is SO intelligent
    (btw why did you removed your comment on longhorn? wasnt good enough?, lol
    Quote this comment #5.8 Posted by Jason on 28 May 2003 - 20:11
    (delete)
    Quote this comment #5.9 Posted by Jason on 28 May 2003 - 20:12
    Thanks, my intelligence got me a 2-1 good enough for me

    Had to remove previous post, it didn't fit in that gap anymore.
    Quote this comment #5.10 Posted by nacs on 28 May 2003 - 21:57
    You really need to learn to spell before you go around calling other people uneducated Jason.
    Quote this comment #5.11 Posted by Jason on 28 May 2003 - 22:04
    My whole point was how can some people here beta test patches when there are posts like Longhorn sucks, thats it
    Quote this comment #5.12 Posted by Neobond on 28 May 2003 - 22:39
    QUOTE (#5.11 by )
    My whole point was how can some people here beta test patches when there are posts like Longhorn sucks, thats it

    Quote this comment #5.13 Posted by XP-RTM on 28 May 2003 - 23:23
    LOL neobond you rock! that one was funny!
    Quote this comment Reply to this comment #6 Posted by EmuZombie on 28 May 2003 - 19:33
    QUOTE
    You can un-install this update via Add/Remove (control panel)


    Yeah, that didn't work for me, it failed. I had to do a system restore.
    (4 replies) Quote this comment Reply to this comment #7 Posted by James55 on 28 May 2003 - 20:28
    I dont trust any of m$ update patches anyway. Ive had other problems with them before and eventually turned off automatic updates
    Quote this comment #7.1 Posted by Ji@nBing on 28 May 2003 - 22:02
    hehe, turning them off is always one of the first things i do after a format. actually since my last format i didn't install anything from windows update, and my pc runs a lot better. they seem to really slow it down
    Quote this comment #7.2 Posted by Fubar on 28 May 2003 - 22:16
    sorry i really dont think you get the point. you dont trust the patches yet you trust the os that they make........ explain to me the sense in that..... so your happy to carry on using your system without out all the fix's ? what part am i suppose to say ah yeah i see your point.... ms patches are buggy but the OS isnt ? ..........
    heres a thought explain to me at least, why you think your pc is better off and faster than some one else's with all the fix's on ? also as everyone pc is differant from the next person so will the update site maybe you should rethink that half the problems you get are more todo with dodgy hardware rather than all of the patches being MS fault.......... im not saying all there patches are great but sheesh only a few so far on xp have been faulty...... no one is perfect are they . oh apart from you and your pc that is

    Last edited by 3331 on 28 May 2003 - 22:25
    Quote this comment #7.3 Posted by daveoc64 on 28 May 2003 - 22:27
    How would you know it slows things down if you dont install them
    Quote this comment #7.4 Posted by Jack Black on 29 May 2003 - 00:51
    You don't trust M$ update patches? What are you, a moron? Quit trying to make yourself look cool because you bash Microsoft.
    (1 reply) Quote this comment Reply to this comment #8 Posted by ben_b on 28 May 2003 - 23:27
    You do know if you don't install them you are more likely to be hacked, ect. right? Well anyways does anyone know if Microsoft is going to fix this and then re-release it?
    Quote this comment #8.1 Posted by Jon on 29 May 2003 - 01:00
    It wasn't a security update (ie: one that specifically resolved bugs), but one that added extra features relating to encryption. And I'd bet money that 99% of neowinians dont use this encryption (l2tp/ipsec).

    QUOTE
    Although this problem may seem like a error, it is in-fact just IPSEC using its default security setting, which is to make the connection safe. But in this case it can unfortunately cause loss of internet functionality.


    That comment is misleading. IPSECs default setting is to encrypt all traffic, meaning that unless the server you're talking to is expecting IPSEC comms, it wont understand you. The 'in this case bit' is redundant, in ANY case where IPSEC wasn't previously used 2 way, this would cause comms failure.
    Quote this comment Reply to this comment #9 Posted by Visentinel on 28 May 2003 - 23:58
    Updates are important, Keeps you safe from known exploits

    Better to loos a few mhz of speed, and be secure, than loos it all and reformat after been hacked
    Quote this comment Reply to this comment #10 Posted by Davey on 29 May 2003 - 02:30
    Thats bullcrap that affects just AV scanning.

    I installed this patch on a fresh instaled XP and had slowdwon then even with nothing else installed except security patches. Uninstalled the patch and syste,m went fast.

    MS, if you reading this, get your asses into gear and start patching the OS i paid good money for properly instead of this dead assed crappy patches you are giving out and blaming AV scanners instead of blaming yourselves in which you should be doing
    (1 reply) Quote this comment Reply to this comment #11 Posted by ben_b on 29 May 2003 - 02:50
    There is an error in the link to Windows Update; it is http://://v4.windowsupdate.microsoft.com/ when it should be http://v4.windowsupdate.microsoft.com/ or just http://windowsupdate.microsoft.com/.
    Quote this comment #11.1 Posted by Voodoo on 29 May 2003 - 02:59
    fixed
    [1]

    Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

    Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.


    Scroll to the Top
    ....
    My Preferences
    ....
    Communicating with server
    Loading
    Please Wait...
    ....
    Loading
     X 
    ....