This article discusses how to configure a preshared key for use with Layer 2 Tunneling Protocol (L2TP).
Applies to: Windows Server 2003 Original KB number: 324258
Summary
To use L2TP in Microsoft Windows Server 2003, you must have a public key infrastructure (PKI) to issue computer certificates to the virtual private network (VPN) server and to clients so that the Internet Key Exchange (IKE) authentication process can occur.
With Windows Server 2003, you can use a preshared key for IKE authentication. This feature is useful in environments that do not currently have a PKI in place, or in situations where Windows Server 2003 L2TP servers are making connections to third-party VPN servers that only support the use of preshared keys.
Note
Microsoft does not encourage the use of preshared keys, because it is a less secure method of authentication than certificates. Preshared keys are not meant to replace the use of certificates; instead, preshared keys are another method for testing and internal operations. Microsoft strongly recommends that you use certificates with L2TP whenever possible.
The following sections describe how to configure the preshared keys on both the L2TP client and the server. If you use a Windows Server 2003 operating system for both client and VPN-based server, complete the instructions in both of these sections so that the L2TP that uses a preshared key can work. If you use a Windows Server 2003 VPN client and a third-party VPN-based server, you must follow the steps in the Configure a preshared key on a VPN client section of this article, and you must configure preshared keys on the third-party device.
In Control Panel, double-click Network Connections.
Under the Virtual Private Network section, right-click the connection for which you want to use a preshared key, and then click Properties.
Click the Security tab.
Click IPSec Settings.
Note
IPSec Settings may be shaded if on the Networking tab, Type of VPN is set to PPTP VPN. A preshared key can only be configured if this option is set to L2TP IPSec VPN or Automatic.
Click to select the Use preshared key for authentication check box.
In the Key box, type the preshared key value. This value must match the preshared key value that is entered on the VPN-based server.
Click OK two times.
Start the Routing and Remote Access snap-in. To do this, click Start, point to Administrative Tools, and then click Routing and Remote Access.
Right-click the server that you will configure with the preshared key, and then click Properties.
Click Security.
Click to select the Allow Custom IPSec Policy for L2TP connection check box.
In the Preshared key box, type the preshared key value. This value must match the preshared key value entered on the VPN-based client.
For wide compatibility with client devices and ease of setup the L2TP/IPSec service uses a pre-shared key for authentication. This key is often published on a VPN providers website and is therefor accessible by anyone.
You can use pre-shared keys for site-to-site VPN authentication and with third-party VPN clients. Both gateways create a hash value based on the pre-shared key and other information. The hash values are then exchanged and verified to authenticate the other party.
Right-click the server that you will configure with the preshared key, and then click Properties. Click Security. Click to select the Allow Custom IPSec Policy for L2TP connection check box. In the Preshared key box, type the preshared key value.
In the console, click on “DirectAccess and VPN.” Right-click on your server and select “Configure and Enable Routing and Remote Access.” Follow the setup wizard, which will guide you through the configuration process.
"Shared key" means that the same key is used by several party. It doesn't tell you how the key was distributed among them. "pre-shared key" means the key has been shared before the current operational context.
In cryptography, a pre-shared key (PSK) is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used.
A pre-shared key (PSK) is a secret authentication code or password that is shared between two or more parties in advance of communication. In the context of cybersecurity, it is used to secure a wireless network or other communication channel by providing an encryption key.
IPsec has two ways of authenticating a peer--via a pre-shared key or a certificate. While pre-shared keys are easier to work with, they are generally considered less secure than a certificate. Pros: Convenience--no need to go through the complicated process of obtaining a certificate.
A pre-shared key (PSK) is a super-long series of seemingly random letters and numbers generated when a device joins a network through a Wi-Fi access point (AP). The process begins when a user logs into the network using the SSID (name of the network) and password (sometimes called a passphrase).
The WEP key or WPA/WPA2 preshared key/passphrase is not the same as the password for the access point. The password lets you access the access point settings. The WEP key or WPA/WPA2 preshared key/passphrase allows printers and computers to join your wireless network.
A pre-shared key is a Site-to-Site VPN tunnel option that you can specify when you create a Site-to-Site VPN tunnel. A pre-shared key is a string that you enter when you configure your customer gateway device. If you do not specify a string, we auto-generate one for you.
(1) Added RRAS role. (2) made sure that WAN Miniport (L2TP) is listed in Ports section of RRAS. (5) Made sure that RRAS check box was checked in Allowed Programs in Firewall. (6) In my CISCO router, I am forwarding two UDP ports 500 and 4500 to this computer running Windows 2008 R2.
Address: Suite 369 9754 Roberts Pines, West Benitaburgh, NM 69180-7958
Phone: +522993866487
Job: Sales Executive
Hobby: Worldbuilding, Shopping, Quilting, Cooking, Homebrewing, Leather crafting, Pet
Introduction: My name is Golda Nolan II, I am a thoughtful, clever, cute, jolly, brave, powerful, splendid person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.