Specify Tunnel Endpoints

Applies To: Windows Server 2008

Tunnel endpoints

Tunneling is the process of encapsulation, routing, and decapsulation. Tunneling wraps, or encapsulates, the original packet inside a new packet. The network can be a private intranet or the Internet. After the encapsulated packets reach their destination, the encapsulation is removed and the original packet header is used to route the packet to its final destination.

The tunnel itself is the logical data path through which the encapsulated packets travel. To the original source and destination peer, the tunnel is usually transparent and appears as just another point-to-point connection in the network path. When tunneling is combined with data confidentiality, it can be used to provide a virtual private network (VPN).

The primary reason for using Internet Protocol security (IPsec) Tunnel Mode is interoperability with other routers, gateways, or end systems that do not support L2TP/IPsec or PPTP VPN tunneling. IPsec Tunnel Mode is supported only in gateway-to-gateway tunneling scenarios and, as an advanced feature, for certain server-to-server or server-to-gateway configurations. IPsec Tunnel Mode is not supported for remote access VPN scenarios. L2TP/IPsec or PPTP should be used for remote access VPN connections.

An IPsec tunnel must be defined at both ends of the connection, and at each end, the entries for the local tunnel computer and remote tunnel computer must be swapped (because the local computer at one end of the tunnel is the remote computer at the other end, and vice versa).

Endpoints

Use these two lists to specify one or more computers that comprise the first endpoint of the tunnel. Communications pass between these computers and the computers you specify for the other endpoint. You can specify these computers by individual IP address, IP address rages, subnets, or by using predefined IP addresses, such as a gateway or DNS server.

The order of the computers in the list is not important. Any computer specified in Endpoint 1 can communicate with any computer specified in Endpoint 2.

Tunnel closest to computer in endpoint

Use these two text boxes to specify the IP address of the tunnel computer closest to the computers in an endpoint. The tunnel computer is a gateway. You can specify either an IPv4 address or an IPv6 address.

You must use the same IP address version for both ends of the tunnel. For example, if you use an IPv4 address for one end of the tunnel, you must use an IPv4 address for the other. You can, however, specify tunnel endpoints for both versions, as long as the versions on each end match.

Adjusting these settings after creating the rule

You can also adjust these settings in the <Connection Security Rule Name> Properties dialog box in the Connection Security node. To change the computers in each endpoint, use the Computers tab. To change the tunnel endpoints, on the Advanced tab, under IPsec Tunneling, click Settings.

Additional references

Add or Edit IP Addresses

Connection Security Rules