Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
As discussed in Virtual private networking with IPSec, IPSec can perform layer 3 tunneling for scenarios in which Layer Two Tunneling Protocol (L2TP) cannot be used. If you are using L2TP for remote communications, no tunnel configuration is needed because the client and server VPN components of Windows XP and the Windows Server 2003 family automatically create the appropriate rules to secure L2TP traffic.
To create a layer 3 tunnel using IPSec, use the IP Security Policy Management or Group Policy consoles to configure and enable the following two rules for the appropriate policy:
A rule for the outbound traffic for the tunnel.
The rule for the outbound traffic is configured with both a filter list that describes the traffic to be sent across the tunnel and a tunnel endpoint of an IP address configured on the IPSec tunnel peer (the computer or router on the other side of the tunnel).
A rule for the inbound traffic for the tunnel.
The rule for the inbound traffic is configured with both a filter list that describes the traffic to be received across the tunnel and a tunnel endpoint of a local IP address (the computer or router on this side of the tunnel).
For each rule, you must also specify filter actions, authentication methods, and other settings.
For advanced information about configuring IPSec tunnels, see article Q252735, "How to Configure IPSec Tunneling in Windows 2000," in the Microsoft Knowledge Base.