Step 3: Test Your Tunnel Mode Rules

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

With the tunnel mode rules defined, you can now try to access your domain controller through the member server from the client on the public network.


This section of the guide uses features that are present only on computers that are running Windows 7 and Windows Server 2008 R2, and will not work as written on computers that are running earlier versions of Windows.

To communicate with the private network through the tunnel

  1. On CLIENT1, start the Windows Firewall with Advanced Security MMC snap-in.

  2. Expand Monitoring, expand Security Associations, and then click Quick Mode. The list of quick mode security associations (QMSAs) is empty, unless you tried to communicate with the private network.

  3. Open a command prompt, and then position the Command Prompt window and the Windows Firewall with Advanced Security snap-in so that you can see the list of QMSAs and still type in the Command Prompt window.

  4. At the command prompt, type the command ping The connection succeeds. The first packet might report a loss because of the delay caused by the IPsec tunnel negotiations.

  5. On the Actions pane of the Windows Firewall with Advanced Security snap-in, click Refresh.

    The QMSA between the client and the gateway is displayed.

  6. At the command prompt, type the command net view \\dc1.

    This command uses DNS to look up the name of the computer and uses SMB protocol blocks to request shared folder information from DC1 in its role as a file server. All of these network packets are being sent through the IPsec tunnel between CLIENT1 and MBRSVR1. They are then forwarded on to the private network and sent to their destination in plain text. Responses from DC1 are sent to its default gateway, where the tunnel mode rule causes them to be encapsulated in an IPsec ESP header and forwarded to the other network and received by CLIENT1. IPsec on CLIENT1 removes the IPsec ESP header because it is the end of the tunnel, and passes the datagram on to the application that requested it.

Next topic: Summary