Including a Preshared Key

Applies To: Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server 2012, Windows Vista

You can use a preshared key instead of a certificate for L2TP/IPSec authentication of your VPN clients. Preshared keys do not require a public key infrastructure (PKI) for deployment, but they are a relatively weak authentication method. You can increase the security of your preshared key deployment by encrypting the preshared key with a personal identification number (PIN), which your users must enter before the profile will install.

Security Note
We recommend that you do not use preshared keys. Use a more secure authentication method, such as certificates.

Considerations when creating preshared keys

  • Preshared keys and certificates can be used on the same remote access server.

  • If the preshared key on the remote access server is changed, no preshared key VPN clients will be able to access the server until the preshared key on the clients are changed by reissuing and reinstalling the connection profile.

  • A preshared key is a string of text that is configured on both the remote access server and the client. A remote access server can be configured with only a single preshared key. All L2TP/IPSec VPN clients that connect to the remote access server using a preshared key must use the same preshared key. The preshared key can be any non-null string of any combination of between 8 and 256 characters. If there is any difference between the preshared key on the remote access server and the preshared key presented by the VPN client, client authentication fails.

Increasing the security of a preshared key by encrypting it with a PIN

You can help increase the security of the distribution of your preshared key profile by encrypting the preshared key with a PIN. By distributing the connection profile and the PIN separately, you reduce the chances that unauthorized users can install the profile and gain access to your network. A PIN must contain no fewer than 4 but no more than 15 characters. Be sure to distribute the PIN to your users in a secure manner. This PIN will be requested only when the user installs the profile.

We recommend that if you must use a preshared key, that you encrypt it with a full 15 character PIN.

Configuring a connection profile to use a preshared key

To configure a connection profile to use a preshared key

  1. On the VPN Entries page, click the VPN entry that you want to configure to use a preshared key, and then click Edit.

  2. On the Security tab, under Common security settings, click Configure.

  3. Under VPN strategy, click Only use Layer Two Tunnel Protocol (L2TP) or Try Layer Two Tunneling Protocol First.

  4. Click Advanced, and on the L2TP tab, select Use a preshared key, and then click OK.

  5. Repeat for each VPN entry that requires a preshared key, and then click Next.

  6. On the Preshared Key page, type a preshared key.

  7. Do one of the following:

    • Type a PIN to encrypt the preshared key.

    • Clear the Encrypt the preshared key using a PIN check box (Not recommended).

  8. Click Next, and finish creating or editing the profile.

Additional references