Including a pre-shared key

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Including a pre-shared key

You can use a pre-shared key instead of a certificate for L2TP/IPSec authentication of your VPN clients that are running Windows XP or a member of the Windows Server 2003 family. Pre-shared keys do not require a public key infrastructure (PKI) for deployment, but they are a relatively weak authentication method. You can increase the security of your pre-shared key deployment by encrypting the pre-shared key with a personal identification number (PIN), which your users must enter before the profile will install.

Advantages and disadvantages of pre-shared keys

Using pre-shared key authentication does not require the infrastructure investment of a PKI. Pre-shared keys and certificates can be used on the same remote access server. If the pre-shared key on the remote access server is changed, no pre-shared key VPN clients will be able to access the server until the pre-shared key on the clients are changed by reissuing and reinstalling the service profile. Unlike certificates, the origin and history of a pre-shared key cannot be determined. Administrators who want a long-term, strong authentication method should consider using certificates.

Considerations when creating pre-shared keys

A pre-shared key is a string of text that is configured on both the remote access server and the client. A remote access server running a member of the Windows Server 2003 family can be configured with only a single pre-shared key. All L2TP/IPSec VPN clients that connect to the remote access server using a pre-shared key must use the same pre-shared key. The pre-shared key can be any non-null string of any combination of between 8 and 256 characters. If there is any deviation between the pre-shared key on the remote access server and the pre-shared key presented by the VPN client, client authentication will fail. For more information about routing and remote access on computers running any member of the Windows Server 2003 family, see Routing and Remote Access.

Increasing the security of a pre-shared key by encrypting it with a PIN

You can increase the security of the distribution of your pre-shared key profile by encrypting the pre-shared key with a PIN. By distributing the service profile and the PIN separately, you will reduce the chances that unauthorized users can install the profile and gain access to your network. A PIN must contain no fewer than 4 but no more than 15 characters. Be sure to distribute the PIN to your users in a secure manner. This PIN will be requested only when the user installs the profile.

Configuring a service profile to use a pre-shared key

To configure a service profile to use a pre-shared key:

1. On the VPN Entries pane, click the VPN entry that you want to configure to use a pre-shared key, and click Edit.

2. On the Security tab, under Common security settings, click Configure.

3. Under VPN strategy, click Use L2TP/IPSec if available, and select the Use a pre-shared key when using L2TP/IPSec check box. Finish configuring any other aspects of security that your profile requires, and click OK.

4. Edit each VPN entry that requires a pre-shared key, and click Next.

5. On the Pre-shared Key pane, type a pre-shared key.

6. Do one of the following:

   • Type a PIN to encrypt the pre-shared key.

   • Clear the Encrypt the pre-shared key using a PIN check box.

7. Click Next, and finish building the profile.