IPsec Tunneling

Applies To: Windows Server 2008

IPsec tunneling

Internet Protocol security (IPsec) tunnels are used primarily for interoperability with other routers, gateways, or end systems that do not support L2TP/IPsec or PPTP connections. IPsec Tunnel Mode is supported as an advanced feature; it is used only in gateway-to-gateway (also known as router-to-router) tunneling scenarios and for server-to-server or server-to-gateway configurations. IPsec tunnels are not supported for remote access virtual private network (VPN) scenarios. L2TP/IPsec or PPTP should be used for remote access VPN connections.

IPsec can perform Layer 3 tunneling for scenarios in which Layer Two Tunneling Protocol (L2TP) cannot be used. If you are using L2TP for remote communications, no tunnel configuration is needed because the client and server VPN components of this version of Windows automatically create the rules to secure L2TP traffic

IPsec tunnels provide security for IP traffic only. The tunnel is configured to protect traffic between two endpoints that can consist of either individual IP addresses or IP subnets. If the tunnel is used between two computers instead of two routers (also known as gateways), the IP address outside the AH or ESP payload is the same as the IP address inside the AH or ESP payload. In this version of Windows, IPsec does not support protocol-specific or port-specific tunnels.

An IPsec tunnel must be defined at both ends of the connection, and at each end, the entries for the local tunnel computer and remote tunnel computer must be swapped (because the local computer at one end of the tunnel is the remote computer at the other end, and vice versa).

Tunnel computers

Enter the IPv4 or IPv6 address of the two computers that form the tunnel that are the closest to the endpoint computers. You can specify two different sets of endpoints, one using IPv4 address and the other using IPv6 addresses.


You must specify the same version of IP address for both endpoints. For example, if you specify an IPv4 address for Endpoint 1, you must also specify an IPv4 address for Endpoint 2.

Additional references

Connection Security Rules