Creating Tunnel Mode IPsec Rules
Updated: December 7, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
IPsec tunnel mode rules can be used to create secured network connections across the Internet to private networks, or to connect two private networks that are separated by the Internet.
In earlier versions of Windows, creating IPsec rules for client-to-gateway type rules were easy to deploy on the gateway server, but difficult to deploy to the clients. This was because in these IPsec rules you needed to specify both ends of the tunnel by an explicit IP address, and both sets of computers at either end of the tunnel that are accessible through the tunnel. This meant that you had to have a customized rule for each client that you wanted enabled to connect to the gateway. Starting with Windows Server 2008 R2 and Windows 7, however, you can use the “Any” keyword for both the local endpoint and the local tunnel endpoint. When this rule is deployed on the client, “Any” is interpreted to mean the local computer’s own IP address. This enables you to deploy a single rule to all of the clients that have only the remote tunnel endpoint computer’s IP address, and the IP addresses of the computers accessible beyond the gateway.
This scenario uses features that are new to Windows 7 and Windows Server 2008 R2. If you are running Windows Vista on CLIENT1, or Windows Server 2008 on MBRSVR1 then you cannot complete this scenario.
Steps for creating rules that create a client-to-gateway IPsec tunnel
In this section of the guide, you reconfigure the lab computers to enable a multiple network remote access scenario. CLIENT1 becomes a remote client on test “public” network, and MBRSVR1 becomes an IPsec gateway server with the addition of a second network adapter so that it can attach to both the new public network and the original private network used in the previous scenarios. DC1 continues to operate on the private network, and serves as the destination server.