Pre-shared Keys

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

A pre-shared key is a string of Unicode characters used to authenticate L2TP/IPsec connections. You can configure Routing and Remote Access to authenticate VPN connections using a pre-shared key. The use of pre-shared keys is supported on many operating systems, including Windows Server 2003, Windows XP, and Windows Vista. You can also configure a server running the Windows Server 2008 version of Routing and Remote Access to use a pre-shared key to authenticate connections from other routers.

Advantages and disadvantages of pre-shared keys

Pre-shared key authentication does not require the hardware and configuration investment of a public key infrastructure (PKI), which is necessary for using computer certificates for L2TP/IPsec authentication. Pre-shared keys are simple to configure on a remote access server, and they are relatively simple to configure on a remote access client. They can be made transparent to the user if they are issued within Connection Manager profiles. If you are in the process of establishing a PKI or you manage an Active Directory domain, you can configure Routing and Remote Access to accept an L2TP/IPsec connection using a computer certificate or a pre-shared key.

However, a single remote access server can utilize only one pre-shared key for all L2TP/IPsec connections that require a pre-shared key for authentication. Therefore, you must issue the same pre-shared key to all L2TP/IPsec VPN clients that connect to the remote access server by using a pre-shared key. Unless you distribute the pre-shared key within a Connection Manager profile, each user must manually type the pre-shared key. This limitation further reduces the security of the deployment and increases the probability of error.

Moreover, if the pre-shared key on a remote access server is changed, a client with a manually configured pre-shared key cannot connect to that server until the pre-shared key on the client is changed. If the pre-shared key was distributed to the client within a Connection Manager profile, that profile must be reissued with the new pre-shared key and reinstalled on the client computer. Unlike certificates, the origin and the history of a pre-shared key cannot be determined. For these reasons, the use of pre-shared keys to authenticate L2TP/IPsec connections is considered a relatively weak authentication method. If you want a long-term, strong authentication method, use a PKI.

Considerations when choosing a pre-shared key

A pre-shared key is a sequence of characters that is configured on both the remote access server and the L2TP/IPsec client. The pre-shared key can be any non-null string of any combination of up to 256 Unicode characters. Users who utilize the New Connection wizard to create the VPN client connection must type the pre-shared key manually. A key that is long and complex enough to provide adequate security might be difficult for the majority of your users to type accurately.

When the pre-shared key is first stored, the remote access server and the VPN client attempt to convert the Unicode string into ASCII. If the attempt is successful, the ASCII version of the string will be used for authentication. This strategy ensures that the pre-shared key is not corrupted in transmission by any devices that do not comply with the Unicode standard, such as routers from other companies. If the pre-shared key cannot be stored as ASCII, the Unicode string will be used. If the Unicode pre-shared key must be processed by any device that does not comply with the Unicode standard, the connection attempt typically fails.

Pre-shared keys and the Connection Manager Administration Kit

By using the Connection Manager Administration Kit (CMAK) wizard, you can create a customized connection experience for your users. You can use the CMAK wizard to create a VPN connection profile that includes a pre-shared key. Because profiles are self-extracting, the user does not have to type in the pre-shared key or even to know that a pre-shared key exists. You can further increase the security of your Connection Manager profile distribution by encrypting the pre-shared key with a personal identification number (PIN). In this way, not only does the user never see or have to type the pre-shared key, you can distribute the profile and the PIN separately, reducing the chance that an unauthorized user might obtain access to your network.

For more information about Connection Manager, see Welcome to the Connection Manager Administration Kit.