Select Client-to-gateway on the Tunnel Type page if the connection security rule is for a client computer that must communicate with a remote gateway and the computers behind the gateway on a private network. You can use this page to configure the IP address of the remote tunnel endpoint (the gateway) and the computers that are behind the remote tunnel endpoint on a private network.

The following figure shows the components that you can configure by using this wizard page.

To get to this wizard page
  1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule.

  2. On the Rule Type page, select Tunnel.

  3. In Steps, click Tunnel Type, and then select Client-to-gateway.

  4. Click Next until you reach the Tunnel Endpoints page.

Client

This option is set to My IP address and cannot be changed.

Note

In this scenario, the client computer is serving as the only computer in Endpoint 1 and is also the local tunnel endpoint.

Gateway

The gateway is the computer to which the client sends packets that are addressed to a computer in the remote endpoint. The gateway receives a network packet from the client, decapsulates the original packet, and then routes it to the destination computer that is in Endpoint 2. You can specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address, or both.

Notes
  • The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both and IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end. Also, you must specify the same version of IP for both the remote tunnel endpoint (the gateway) and the remote endpoints behind the gateway.
  • The gateway computer is referred to as the remote tunnel endpoint on the IPsec Tunneling Settings dialog box, in the Netsh command-line tool, and if you select Custom configuration on the Tunnel Type page.

What are the remote endpoints?

The remote endpoints are the computers at the remote end of the tunnel on the other side of the gateway that must be able to send and receive data from the client. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove.

Note

The gateway computer is referred to as the remote tunnel endpoint on the IPsec Tunneling Settings dialog box, in the Netsh command-line tool, and if you select Custom configuration on the Tunnel Type page.

How to change these settings

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the computers that are accessible behind the remote tunnel endpoint, use the Computers tab and configure the settings for Endpoint 2. To change the remote tunnel endpoint (the gateway), from the Advanced tab, under IPsec Tunneling, click Customize, and then modify the Remote tunnel endpoint.

Additional references


Table Of Contents