Specify an IPSec tunnel

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To specify an IPSec tunnel

  1. Create a console containing IP Security Policies. Or, open a saved console file containing IP Security Policies.

  2. Double-click the policy that you want to modify.

  3. Double-click the rule that you want to modify.

  4. On the Tunnel Setting tab, specify the computer that will be the tunnel endpoint:

    To Do this

    Disable tunneling for this rule

    Click This rule does not specify an IPSec tunnel.

    Use tunneled communications to a specific tunnel endpoint

    Click The tunnel endpoint is specified by this IP address and type the IP address of the tunnel endpoint.

Notes

  • To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. To manage local or remote IPSec policies for a computer, you must be a member of the Administrators group on the local or remote computer. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see Default local groups and Default groups.

  • To create a console containing IP Security Policies, start the IP Security Policies snap-in. To open a saved console file, open MMC. For more information, see Related Topics.

  • Because you cannot mirror filters for tunneled traffic, you must configure two rules. One rule is used for the outbound traffic and the other is used for inbound traffic. For the outbound traffic rule, the tunnel endpoint is the IP address of the IPSec peer on the other end of the tunnel. For the inbound traffic rule, the tunnel endpoint is an IP address configured on the local computer.

  • IPSec tunnels are not supported for remote access VPN scenarios. L2TP/IPSec or PPTP should be used for remote access VPN connections. IPSec tunnels are used primarily for interoperability with other routers, gateways, or end-systems that do not support L2TP/IPSec or PPTP connections. IPSec tunnel mode is supported as an advanced feature, used only in gateway-to-gateway (also known as router-to-router) tunneling scenarios and for server-to-server or server-to-gateway configurations.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Start the IP Security Policy Management snap-in
Open MMC
Add, edit, or remove IPSec policies
Virtual private networking with IPSec
Tunnel endpoint
Working with MMC console files
Tunnel mode