Install Computer Certificates for L2TP/IPsec
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
If you use a Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPsec) site-to-site connection, you must install a computer certificate on both the answering router and on the calling router. You must have a certification authority (CA) in your network to issue these certificates.
You can install a computer certificate for L2TP/IPsec by using one of three methods:
Configure the automatic enrollment of computer certificates in a Windows Server 2008 domain by using Group Policy.
Use the Certificates snap-in to request a computer certificate.
Use your Web browser to connect to the CA Web enrollments pages to request a certificate.
It is also possible to use a pre-shared key to provide authentication for IPsec security associations for an L2TP/IPsec connection. However, using computer certificates is the recommended method.
For information about how to create a certificate infrastructure and install computer certificates, see Appendix A: Computer Certificates for VPN Connections in the Routing and Remote Access Services Design Guide.