Share via


Dialog Box: Customize IPsec Tunneling Settings

Updated: January 20, 2009

Applies To: Windows 7, Windows Server 2008 R2

Use this dialog box to configure a connection security rule to use tunnel mode rather than transport mode.

To get to this dialog box

  1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, select Connection Security Rules.

  2. Double-click the tunnel rule that you want to modify.

  3. Click the Advanced tab, and then under IPsec Tunneling, click Customize.

Use IPsec tunneling

Select this option to specify that the network traffic that matches this rule travels from Endpoint 1 to Endpoint 2 through an Internet Protocol security (IPsec) tunnel. Selecting this option enables the rest of the controls in this dialog box.

Apply authorization

Select this option to specify that the computer or user in Endpoint 1 must authenticate with the local tunnel endpoint before any packets can be sent through the tunnel. To specify the computers or users that are authorized to send traffic through the tunnel, follow these steps:

To specify users and computers authorized to send network traffic through the tunnel

  1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, select Windows Firewall with Advanced Security.

  2. In Overview, click Windows Firewall Properties.

  3. Select the IPsec Settings tab.

  4. In IPsec tunnel authorization, click Advanced, and then click Customize.

  5. Add users and computers to the lists according to your design. For more information, see Dialog Box: Customize IPsec Tunnel Authorization.

Exempt IPsec protected connections

Sometimes a network packet might match more than one connection security rule. If one of the rules establishes an IPsec tunnel, you can choose whether to use the tunnel or send the packet outside of the tunnel protected by the other rule. Select the option to specify that network traffic that matches another IPsec connection security rule does not go through the IPsec tunnel.

Local tunnel endpoint (closest to Endpoint 1)

Use this option to identify the computer that terminates the tunnel at the end closest to the computers in Endpoint 1. Click Edit to enter an Internet Protocol version 4 (IPv4) address, Internet Protocol version 6 (IPv6) address, or both.

Important

You must be consistent in the version of IP you specify for the addresses in a tunnel. If you specify IPv4 addresses, then do so for both tunnel endpoints and Endpoint1 and Endpoint 2. You can specify both IPv4 and IPv6, but you must then specify both for both tunnel endpoints and Endpoint 1 and Endpoint 2.

Remote tunnel endpoint (closest to Endpoint 2)

Use this option to identify the computer that terminates the tunnel at the end closest to the computers in Endpoint 2. Click Edit to enter an IPv4 address, IPv6 address, or both.

Important

You must be consistent in the version of IP you specify for the addresses in a tunnel. If you specify IPv4 addresses, then do so for both tunnel endpoints and Endpoint1 and Endpoint 2. You can specify both IPv4 and IPv6, but you must then specify both for both tunnel endpoints and Endpoint 1 and Endpoint 2.

For information about IPsec tunneling, see Connection Security Rule Wizard: Tunnel Type Page.