This article was previously published under Q248711
This article has been archived. It is offered "as is" and will no longer be updated.
Two types of mutual authentication are supported for use with Layer 2 Tunneling Protocol (L2TP)/IP Security Protocol (IPSec): Certificate Authority and Preshared Key. Kerberos authentication is not supported for use with L2TP/IPSec.
Windows 2000 automatically creates an IPSec filter that uses certificates. This type of authentication requires no configuration except a local computer certificate. If no certificates are found, the connection does not succeed. For a description of this automatic filter, see the following article in the Microsoft Knowledge Base:
248750 Description of the IPSec Policy Created for L2TP/IPSec
Microsoft recommends using a Certificate Authority because doing so introduces a trusted third party and certificates are stored in a non-viewable format.
Because an IPSec policy for L2TP/IPSec that uses certificates is automatically created, you must disable the automatic policy and configure IPSec to use Preshared Keys. To configure L2TP/IPSec to use Preshared Key, see the following article in the Microsoft Knowledge Base:
240262 How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication
You should use Preshared Key only for testing purposes because the preshared key is stored in a viewable format (from the local computer) and is not from a trusted third party.
Kerberos authentication is not supported for use with L2TP/IPSec.