Configure IP Packet Filters and Demand-Dial Filters

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

For an on-demand VPN site-to-site connection, you can specify IP packet filters and demand-dial filters.

Use the following procedures to accomplish these tasks:

• Configure IP packet filters on the Internet interface

• Match IP demand-dial filters to IP packet filters on the demand-dial interface

Configure IP packet filters on the Internet interface

You can configure Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPsec) inbound and outbound filters on a VPN router to allow only PPTP or only L2TP/IPsec traffic to travel between the two sites.

How you configure firewall filters and filters on the VPN router depends on the relative position of the VPN router and firewall. For information about configuring filters for a VPN site-to-site server, see Deploying Dial-up Remote Access, Appendix B: VPN Servers and Firewall Configuration, Add PPTP Filters, and Add L2TP over IPSec Filters.

Configure IP demand-dial filters and match them to IP packet filters on the demand-dial interface

You can configure demand-dial filters to specify which types of traffic are allowed to create a site-to-site connection. By matching demand-dial filters to the IP packet filters, you can also prevent a calling router from establishing a demand-dial connection for traffic that IP packet filters are configured to discard.

For information about how to configure demand-dial filters and to match them to IP packet filters, see Configure Demand-Dial Filters and Demand-dial Routing Example.