Install Computer Certificates for L2TP/IPsec

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

If you use a Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPsec) site-to-site connection, you must install a computer certificate on both the answering router and on the calling router. You must have a certification authority (CA) in your network to issue these certificates.

You can install a computer certificate for L2TP/IPsec by using one of three methods:

  • Configure the automatic enrollment of computer certificates in a Windows ServerĀ 2008 domain by using Group Policy.

  • Use the Certificates snap-in to request a computer certificate.

  • Use your Web browser to connect to the CA Web enrollments pages to request a certificate.


It is also possible to use a pre-shared key to provide authentication for IPsec security associations for an L2TP/IPsec connection. However, using computer certificates is the recommended method.

For information about how to create a certificate infrastructure and install computer certificates, see Appendix A: Computer Certificates for VPN Connections in the Routing and Remote Access Services Design Guide.