Problem solve Get help with specific problems with your technologies, process and projects.

Using shared secrets on Win2000

We are looking at implementing a VPN in a site-to-site scenario using Windows 2000 server at the main site to terminate a tunnel but a cheaper hardware device for the small branch office (the Symantec VPN comes to mind). As I understand it, we would use IPsec over L2PT as a router-to-router tunnel rather the client-to-server PPTP protocol. I then assume that if a hardware device supports IPsec over L2PT all should be fine.

Here is what I am unsure of: I believe Win 2000 needs a digital certificate to make L2PT work, so how is this accomplished with a hardware device? Is this true?
Win2000 IPsec supports the use of shared secrets in addition to digital certificates. This should be compatible with the hardware device, although I have not tried this specific scenario.

If you do use shared secrets instead of digital certificates, make sure to create a separate secret for each pair of connections. Frequently administrators will use the same shared secret for all connections to simplify things. The problem with this is that compromising a single device provides access to the entire network -- not very secure. So, as tempting as it is to use just one or couple of shared secrets for your entire network, use different secrets for each connection and change them frequently (at least once per week).

This was last published in June 2002

Dig Deeper on Network Infrastructure

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.