Install Computer Certificates for L2TP/IPSec

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you use an L2TP/IPSec site-to-site connection, you must install a computer certificate on both the answering router and on the calling router. You must have a certification authority (CA) in your network to issue these certificates.

You can install a computer certificate for L2TP/IPSec by using one of three methods:

• Configure the automatic enrollment of computer certificates in a Windows Server 2003 domain system container by using Group Policy.

• Use the Certificates snap-in to request a computer certificate.

• Use your Web browser to connect to the CA Web enrollments pages to request a certificate.

Note

• It is also possible to use a preshared key to provide authentication for IPSec security associations for an L2TP/IPSec connection. However, using computer certificates is the recommended method.

For information about how to create a certificate infrastructure and install computer certificates, see Certificate Services in Help and Support Center for Windows Server 2003, and see "Designing a Public Key Infrastructure" in Designing and Deploying Directory and Security Services of this kit. For more information about configuring a preshared key, see Configure a pre-shared key for a demand-dial routing interface in Help and Support Center for Windows Server 2003.