Connection Security Rule Wizard: Tunnel Endpoints Page - Custom Configuration

  • Article

Updated: January 20, 2009

Applies To: Windows 7, Windows Server 2008 R2

Use this wizard page to configure the endpoint options for an IPsec tunnel rule.

If you select Custom configuration on the Tunnel Type page, you can configure all of the details of the tunnel on the Tunnel Endpoints page.

The following diagram shows the components that you can configure by using this wizard page.

To get to this wizard page

  1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule.

  2. On the Rule Type page, select Tunnel.

  3. In Steps, click Tunnel Type, and then select Custom configuration.

  4. Click Next until you reach the Tunnel Endpoints page.

Which computers are in Endpoint 1?

Endpoint 1 is the collection of computers at the local end of the tunnel that must be able to send data to and receive data from the computers that are part of Endpoint 2. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove.

What is the local tunnel endpoint (closest to the computers in Endpoint 1)?

The local tunnel endpoint is the gateway to which a computer in Endpoint 1 sends network packets that are addressed to a computer in Endpoint 2. The local tunnel endpoint accepts a network packet from a computer in Endpoint 1, and then encapsulates it in a new network packet that is addressed and routed to the remote tunnel endpoint. The remote tunnel endpoint extracts the encapsulated original packet, places it on the network connected to the computers in Endpoint 2, and then routes the packet to its final destination.

You can specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address, or both. To add an address, click Edit, and provide the information required in the Customize IPsec Tunneling Settings dialog box.

Important

If you specify Any, then the computer in Endpoint 1 is also the local tunnel endpoint for the connection. The Endpoint 1 computer encapsulates and routes its own network packets to the remote tunnel endpoint, which extracts and routes the data to the destination computer in Endpoint 2.

Note

The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both an IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end.

Apply IPsec tunnel authorization

Select this option to specify that the computer or user in Endpoint 1 must authenticate with the local tunnel endpoint before any packets can be sent through the tunnel. To specify the computers or users that are authorized to send traffic through the tunnel, follow these steps:

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To specify users and computers that are authorized or denied permission to send network traffic through the tunnel

  1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, select Windows Firewall with Advanced Security.

  2. In Overview, click Windows Firewall Properties.

  3. Select the IPsec Settings tab.

  4. In IPsec tunnel authorization, click Advanced, and then click Customize.

  5. Add users and computers to the lists, as appropriate for your design. For more information, see Dialog Box: Customize IPsec Tunnel Authorization.

What is the remote tunnel endpoint (closest to the computers in Endpoint 2)?

The remote tunnel endpoint is the gateway to which the local tunnel endpoint sends network packets that are addressed to a computer in Endpoint 2. The remote tunnel endpoint receives a network packet from the local tunnel computer, extracts the encapsulated original packet, and then routes it to the destination computer in Endpoint 2.

You can specify an IPv4 address, an IPv6 address, or both. To add an address, click Edit and provide the information required in the Customize IPsec Tunneling Settings dialog box.

Important

If you specify Any, then the computer in Endpoint 2 that is receiving the data also serves as the remote tunnel endpoint. The Endpoint 2 computer then extracts and processes the original packet.

Note

The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both and IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end.

Which computers are in Endpoint 2?

Endpoint 2 is the collection of computers at the remote end of the tunnel that must be able to send and receive data from the computers that are part of Endpoint 1. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove.

How to change these settings

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the computers that are in Endpoint 1 and Endpoint 2, select the Computers tab. To change the authorization setting or the computers that serve as tunnel endpoints, select the Advanced tab, and then under IPsec tunneling, click Customize.