Article ID: 249125 - View products that this article applies to.
This article was previously published under Q249125
This article has been archived. It is offered "as is" and will no longer be updated.
Windows 2000 can use a computer certificate for Internet Key Exchange (IKE) authentication to establish an IP Security (IPSec) tunnel or a Layer 2 Tunneling Protocol (L2TP) over IPSec session. IPSec can use certificates from Microsoft, Verisign, Entrust, Netscape, or any other Certificate Authority (CA).
IKE can use a variety of certificates that meet the following criteria:
Cisco Internetwork Operating System (IOS) uses a Cisco proprietary protocol, Simple Certificate Enrollment Protocol (SCEP), to contact a CA to obtain a certificate and install the root certificate trust. This is the only way to obtain a certificate to a Cisco router, and only CAs that support SCEP can be used online to enroll. The resource kit for Windows 2000 Server includes an add-on (Cepsetup.exe), that allows the Microsoft CA to use SCEP. This allows Windows 2000 and Cisco IOS to obtain a certificate from the same CA and enables them to establish IPSec tunnels and L2TP/IPSec sessions among themselves using certificates.
The certificate and its private key are stored in the personal certificate store for the computer account in Windows 2000. The certificate has a trusted root certificate stored in the trusted root store for the computer account.
Cisco IOS does not currently support Extensible Authentication Protocol (EAP), so the advanced capability of the Windows 2000 Point-to-Point Tunneling Protocol (PPTP) and L2TP/IPSec clients to use certificate-based user authentication using a smart card is not available.
The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.