Connection Security Rule Wizard: Tunnel Type Page
Updated: January 20, 2009
Applies To: Windows 7, Windows Server 2008 R2
Tunneling is the process of cryptographically encapsulating data in a new network packet, routing the packet across a network, extracting the embedded data at the other end of the tunnel, and then sending it to the destination. The network can be a private intranet or the Internet.
The tunnel is the logical data path through which the encapsulated packets travel. To the original source and destination computers, the tunnel is transparent and appears as just another point-to-point connection in the network path. When tunneling is combined with data confidentiality, it can be used to provide a virtual private network (VPN).
The following figure shows the basic operation of an IPsec tunnel.
A. The originating computer in Endpoint 1 needs to send a packet to a computer in Endpoint 2. The connection security rules indicate that this connection must be made through a tunnel. The packet is therefore sent to the local tunnel endpoint (Tunnel Endpoint 1) that is specified in the rule.
B. Tunnel Endpoint 1 receives the packet. It matches a connection security rule that defines a tunnel between itself and Tunnel Endpoint 2. If the tunnel is not already established, Tunnel Endpoint 1 negotiates with Tunnel Endpoint 2 to establish the security association (SA) that defines the way in which network packets are transferred through the tunnel between them. Tunnel Endpoint 1 encrypts the original data packet according to the requirements of the SA with Tunnel Endpoint 2. It then embeds the packet as the payload of a new packet that is addressed to Tunnel Endpoint 2.
C. Tunnel Endpoint 2 receives the packet. It matches a connection security rule that defines a tunnel between itself and Tunnel Endpoint 1. Tunnel Endpoint 2 extracts the embedded packet and then decrypts it according to the requirements of the SA with Tunnel Endpoint 1.
D. Tunnel Endpoint 2 finds that the embedded packet is addressed to a computer in Endpoint 2 and routes the original unencrypted packet to the final destination computer.
IPsec tunnel mode is used primarily for interoperability with routers, gateways, or end systems that do not support Layer Two Tunneling Protocol (L2TP)/Internet Protocol security (IPsec) or Point-to-Point Tunneling Protocol (PPTP) VPN tunneling. IPsec tunnel mode is supported only in gateway-to-gateway tunneling scenarios and for certain server-to-server or server-to-gateway configurations. IPsec tunnel mode is not supported for remote access VPN scenarios. L2TP/IPsec or PPTP should be used for remote access VPN connections.
An IPsec tunnel must be defined at both ends of the connection. At each end, the entries for the local tunnel computer and remote tunnel computer must be swapped (because the local computer at one end of the tunnel is the remote computer at the other end, and vice versa).
Use Windows Firewall with Advanced Security to perform Layer 3 tunneling for scenarios in which L2TP cannot be used. If you are using L2TP for remote communications, no IPsec tunnel configuration is required because the client and server VPN components of this version of Windows create the rules to secure L2TP traffic automatically.
Use this wizard page to configure the type of IPsec tunnel that you want to create. An IPsec tunnel is typically used to connect a private network behind a gateway to either a remote client or a remote gateway with another private network. IPsec tunnel mode protects a data packet by encapsulating the entire data packet inside an IPsec-protected packet and then routing the IPsec-protected packet between the tunnel endpoints. When it arrives at the destination endpoint, the data packet is extracted and then routed to its final destination.
To get to this wizard page
In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule.
On the Rule Type page, select Tunnel.
In Steps, select Tunnel Type.
Select this option to enable all of the endpoint configuration options on the Tunnel Endpoints – Custom Configuration page. You can specify the IP addresses of the computers that serve as the tunnel endpoints and the computers that are located on private networks behind each tunnel endpoint.
Select this option if you want to create a rule for a client computer that must connect to a remote gateway and the computers behind the gateway on a private network.
When the client sends a network packet to a computer on the remote private network, IPsec embeds the data packet inside an IPsec packet that is addressed to the remote gateway address. The gateway extracts the packet and then routes it on the private network to the destination computer.
If you select this option, then only the public IP address of the gateway computer and the IP addresses of the computers on the private network can be configured on the Tunnel Endpoints – Client-to-Gateway page.
Select this option if you want to create a rule for a gateway computer that is attached to both a private network and a public network from which it receives network traffic from remote clients.
When the client sends a network packet to a computer on the private network, IPsec embeds the data packet inside an IPsec packet that is addressed to the public IP address of this gateway computer. When the gateway computer receives the packet, it extracts the packet and then routes it on the private network to the destination computer.
When a computer on the remote private network needs to reply to the client computer, the data packet is routed to the gateway computer. The gateway computer embeds the data packet inside an IPsec packet that is addressed to the remote client computer, and then routes the IPsec packet over the public network to the remote client computer.
If you select this option, then only the addresses of computers on the private network and the public IP address of the gateway computer can be configured on the Tunnel Endpoints – Gateway-to-Client page.
Exempt IPsec-protected connections
Sometimes a network packet might match more than one connection security rule. If one of the rules establishes an IPsec tunnel, you can choose whether to use the tunnel or send the packet outside of the tunnel protected by the other rule.
Select this option if the connection is already protected by another connection security rule and you do not want the network packet to go through the IPsec tunnel. Any network traffic that is protected by the Encapsulating Security Payload (ESP) protocol, including ESP Null, is prevented from traversing the tunnel.
Select this option if you want all network packets that match the tunnel rule to go through the tunnel even when they are protected by another connection security rule.