IPsec tunnel mode is used primarily for interoperability with routers, gateways, or end systems that do not support Layer Two Tunneling Protocol (L2TP)/Internet Protocol security (IPsec) or Point-to-Point Tunneling Protocol (PPTP) VPN tunneling. IPsec tunnel mode is supported only in gateway-to-gateway tunneling scenarios and for certain server-to-server or server-to-gateway configurations. IPsec tunnel mode is not supported for remote access VPN scenarios. L2TP/IPsec or PPTP should be used for remote access VPN connections.
An IPsec tunnel must be defined at both ends of the connection. At each end, the entries for the local tunnel computer and remote tunnel computer must be swapped (because the local computer at one end of the tunnel is the remote computer at the other end, and vice versa).
Use Windows Firewall with Advanced Security to perform Layer 3 tunneling for scenarios in which L2TP cannot be used. If you are using L2TP for remote communications, no IPsec tunnel configuration is required because the client and server VPN components of this version of Windows create the rules to secure L2TP traffic automatically.
Use this wizard page to configure the type of IPsec tunnel that you want to create. An IPsec tunnel is typically used to connect a private network behind a gateway to either a remote client or a remote gateway with another private network. IPsec tunnel mode protects a data packet by encapsulating the entire data packet inside an IPsec-protected packet and then routing the IPsec-protected packet between the tunnel endpoints. When it arrives at the destination endpoint, the data packet is extracted and then routed to its final destination.
To get to this wizard page |
-
In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule.
-
On the Rule Type page, select Tunnel.
-
In Steps, select Tunnel Type.
Custom configuration
Select this option to enable all of the endpoint configuration options on the Tunnel Endpoints – Custom Configuration page. You can specify the IP addresses of the computers that serve as the tunnel endpoints and the computers that are located on private networks behind each tunnel endpoint. For more information, see Connection Security Rule Wizard: Tunnel Endpoints Page - Custom Configuration.
Client-to-gateway
Select this option if you want to create a rule for a client computer that must connect to a remote gateway and the computers behind the gateway on a private network.
When the client sends a network packet to a computer on the remote private network, IPsec embeds the data packet inside an IPsec packet that is addressed to the remote gateway address. The gateway extracts the packet and then routes it on the private network to the destination computer.
If you select this option, then only the public IP address of the gateway computer and the IP addresses of the computers on the private network can be configured. For more information, see Connection Security Rule Wizard: Tunnel Endpoints Page - Client-to-Gateway.
Gateway-to-client
Select this option if you want to create a rule for a gateway computer that is attached to both a private network and a public network from which it receives network traffic from remote clients.
When the client sends a network packet to a computer on the private network, IPsec embeds the data packet inside an IPsec packet that is addressed to the public IP address of this gateway computer. When the gateway computer receives the packet, it extracts the packet and then routes it on the private network to the destination computer.
When a computer on the remote private network needs to reply to the client computer, the data packet is routed to the gateway computer. The gateway computer embeds the data packet inside an IPsec packet that is addressed to the remote client computer, and then routes the IPsec packet over the public network to the remote client computer.
If you select this option, then only the addresses of computers on the private network and the public IP address of the gateway computer can be configured. For more information, see Connection Security Rule Wizard: Tunnel Endpoints Page - Gateway-to-Client.
Exempt IPsec-protected connections
Sometimes a network packet might match more than one connection security rule. If one of the rules establishes an IPsec tunnel, you can choose whether to use the tunnel or send the packet outside of the tunnel protected by the other rule.
Yes
Select this option if the connection is already protected by another connection security rule and you do not want the network packet to go through the IPsec tunnel. Any network traffic that is protected by the Encapsulating Security Payload (ESP) protocol, including ESP Null, is prevented from traversing the tunnel.
No
Select this option if you want all network packets that match the tunnel rule to go through the tunnel even when they are protected by another connection security rule.