Choosing Computer Certificates or Preshared Keys for Computer-Level Authentication

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The only site-to-site connection technology that provides computer-level authentication is an L2TP/IPSec VPN connection. Computer-level authentication occurs in one of two ways:

  • Computer certificates: the exchange of computer certificates by the calling and answering routers. Computer-level authentication requires that you deploy a public key infrastructure (PKI). Although computer certificate authentication requires more administrative overhead for initial setup than does the use of preshared keys, it is the recommended method because it provides stronger computer authentication than the preshared keys method. Windows Server 2003 supports the automatic enrollment of certificates, which makes certificate deployment and management easier than using preshared keys over the long term.

  • Preshared keys: the exchange of preshared keys during the establishment of the IPSec security association (SA). Support for preshared keys is new with Windows Server 2003, and it requires running Windows Server 2003 on both VPN routers. A preshared key is a text string that is configured on both the calling and the answering router. Because a preshared key is a weaker computer authentication method than certificate authentication, Microsoft recommends that you use preshared key authentication only during the time you are deploying a PKI to enable the use of certificates. Using preshared key authentication is not as secure as using computer certificates, but it requires less administrative overhead.

The IPSec Internet Key Exchange (IKE) protocol can use either certificate-based or preshared key authentication to negotiate security for the L2TP traffic.

For more information about creating a certificate infrastructure, see Certificate Services in Help and Support Center for Windows Server 2003, and see "Designing a Public Key Infrastructure" in Designing and Deploying Directory and Security Services of this kit. For more information about key exchange, see Internet Key Exchange in Help and Support Center for Windows Server 2003.