Applies To: Windows Server 2008, Windows Server 2008 R2
The only site-to-site connection technology that provides computer-level authentication is an L2TP/IPsec VPN connection. Computer-level authentication occurs in one of two ways:
Computer certificates are exchanged by the calling and answering routers. Computer-level authentication requires that you deploy a public key infrastructure (PKI). Although computer certificate authentication requires more administrative overhead for initial setup than does pre-shared keys, it is the recommended method because it provides stronger computer authentication. Windows Server 2008 R2 and Windows Server 2008 support the automatic enrollment of certificates, which makes certificate deployment and management easier than using pre-shared keys over the long term.
Pre-shared keys are exchanged during the establishment of the IPsec security association (SA). Support for pre-shared keys requires that you run Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 on both VPN routers. A pre-shared key is a text string that is configured on both the calling and the answering router.
Security Note We recommend that you do not use pre-shared keys in a production environment. Use them only in a lab environment.
The IPsec Internet Key Exchange (IKE) protocol can use either certificate-based or pre-shared key authentication to negotiate security for L2TP traffic.