Using Certificates for Windows 2000 and Cisco IOS VPN Interoperation

Windows 2000 can use a computer certificate for Internet Key Exchange (IKE) authentication to establish an IP Security (IPSec) tunnel or a Layer 2 Tunneling Protocol (L2TP) over IPSec session. IPSec can use certificates from Microsoft, Verisign, Entrust, Netscape, or any other Certificate Authority (CA).

IKE can use a variety of certificates that meet the following criteria:

• The certificate's signature type is RSA/MD5 or RSA/SHA1.
• The private key is valid.
• The validity period has not expired (and the CA certificate does not expire before the certificate issued to the computer by the CA).
• The certificate is obtained by using proper enrollment procedures.
• The certificate and its private key are stored in the personal certificate store for the computer account.
• The certificate has a trusted root certificate stored in the trusted root store for the computer account.

Each host involved in the creation of the tunnel must have a certificate that is used to authenticate each host. Each host must trust the entity that issues the certificate to the other host. This entity is typically referred to as the CA. In Windows 2000, trust in a CA is established when you have a copy of the root certificate in the trusted root CA's store.

Cisco Internetwork Operating System (IOS) uses a Cisco proprietary protocol, Simple Certificate Enrollment Protocol (SCEP), to contact a CA to obtain a certificate and install the root certificate trust. This is the only way to obtain a certificate to a Cisco router, and only CAs that support SCEP can be used online to enroll. The resource kit for Windows 2000 Server includes an add-on (Cepsetup.exe), that allows the Microsoft CA to use SCEP. This allows Windows 2000 and Cisco IOS to obtain a certificate from the same CA and enables them to establish IPSec tunnels and L2TP/IPSec sessions among themselves using certificates.

The certificate and its private key are stored in the personal certificate store for the computer account in Windows 2000. The certificate has a trusted root certificate stored in the trusted root store for the computer account.

Cisco IOS does not currently support Extensible Authentication Protocol (EAP), so the advanced capability of the Windows 2000 Point-to-Point Tunneling Protocol (PPTP) and L2TP/IPSec clients to use certificate-based user authentication using a smart card is not available.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.