L2TP with certificates auth.

this is my goal:
I want to set up L2TP VPN between office and remote client.
Gear:  win2k3 std server in office---winxp pro remote client, Zywall5 in HQ , active directory installed, no pre-shared key but certificate instead for authentication and remote client computer is not member of domain!
Finaly, i want to manualy create certificate in offce, save to USB stick and send to client, password when installing it on remote computer would be ok but not must have!

DNS, Act. directory, RRAS, IIS and Enter. root authority is installed and working!
How can i achieve my goal?

p.s. can PPTP be disabled and only L2TP allowed when is all finished!?
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
Ok, you need to open up the Certification Authority MMC and select the Certificate Templates folder, right click - New - Template to issue - select either IPSec or IPSec (Offline), depending on what you feel meets your situation best.  Wait up to 15 minutes for it to replicate in AD, then try again using this template.

If you don't like the default settings, open Certificate Templates MMC and duplicate the IPSec template and adjust as desired, just don't mess with the Extensions tab, then go through and issue that to the CA as described above.
ParanormasticCryptographic EngineerCommented:
bbmservisAuthor Commented:
sorry for not responding for a long time, lots of work!
ok, this is my progress:
only managed  to get   PPTP working! When trying to connect :786 error: The L2TP connection attempt failed
because there is no valid machine certificate on your computer!
Steps i followed: in browser navigated to http://server-ip/certsrv, admin credentials ,  Request a certificate ,
then advanced certificate request. , Create and submit a request to this CA.-> Certificate Template: tried administrator , user and auth. session -> left everything default and only enabled "Store certificate in the local computer certificate store..." Installed certificate ! Same error , 786.
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

ParanormasticCryptographic EngineerCommented:
Which certificate template are you selecting?  Is it actually called IPSEC or IPSEC (Offline), or something else?  This is a special certificate type that needs to have the enhanced key usage "IP security IKE intermediate", which other cert types will not normally have.
bbmservisAuthor Commented:
These are templates to choose:
Authenticated session
Basic EFS
EFS recovery agent
Subordinate Certitication atuthority
Web Server

I have tried administrator, user and authenticated session!
bbmservisAuthor Commented:
Still same msg:  error 786!
Why under templates (Certification Authority MMC) i see IPSEC but i cannot choose it when requesting certificate and under advanced request i dont jave option "Submit a certificate request to this CA using a form" instead i have this:
Create and submit a request to this CA.
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.

ParanormasticCryptographic EngineerCommented:
Try using IPSec (Offline) instead.  Also make sure you have at least Read and Enroll permissions on that template (cert templates mmc) for the user accont.  

Here is a general walkthrough of the process - hopefully something in here will stick out:
All Courses

From novice to tech pro — start learning today.