IP Security Enhancements
There are several new updates related to IP Security (IPSec). The integration of Network Load Balancing (NLB) and IPSec-based Virtual Private Networks allows administrators to offer better security, along with faster IPSec failover and the reliability that comes with NLB.
In Windows 2000, clients can create a PPTP tunnel through a Network Address Translation (NAT) server. In other words, PPTP clients can establish a virtual private network connection from a client to a PPTP server on the Internet going through a local NAT server. However, you can't use L2TP with IPSec because IPSec packets can't be translated by the NAT server. You can create an IPSec tunnel from a NAT server to another computer on the Internet, but not through the NAT server. In Windows .NET Server, an L2TP or IPSec client now has the ability to pass through the NAT server. In addition, hardware vendors will be able to utilize new IPSec hardware acceleration functionality that will allow them to update their old hardware to meet the new standards. In Windows .NET, IPSec supports NAT hardware acceleration for both the Encapsulation Security Payload (ESP) and Authentication Header (AH) packets.
Microsoft has also increased support for the stronger 128-bit Internet Key Exchange (IKE) keys in IPSec. Now, when you establish IPSec tunnels, say between a remote branch office and corporate headquarters, you can benefit from this higher-level 128-bit security. This added security can be useful even on your internal LAN servers, say between your domain controller and the finance department server that holds company confidential information. The 128-bit IKE will result in providing a 3072-bit Diffie-Hellman key generation, resulting in increased security.