We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


L2TP with certificates auth.

bbmservis asked
Medium Priority
Last Modified: 2013-12-05
this is my goal:
I want to set up L2TP VPN between office and remote client.
Gear:  win2k3 std server in office---winxp pro remote client, Zywall5 in HQ , active directory installed, no pre-shared key but certificate instead for authentication and remote client computer is not member of domain!
Finaly, i want to manualy create certificate in offce, save to USB stick and send to client, password when installing it on remote computer would be ok but not must have!

DNS, Act. directory, RRAS, IIS and Enter. root authority is installed and working!
How can i achieve my goal?

p.s. can PPTP be disabled and only L2TP allowed when is all finished!?
Watch Question

ParanormasticCryptographic Engineer



sorry for not responding for a long time, lots of work!
ok, this is my progress:
only managed  to get   PPTP working! When trying to connect :786 error: The L2TP connection attempt failed
because there is no valid machine certificate on your computer!
Steps i followed: in browser navigated to http://server-ip/certsrv, admin credentials ,  Request a certificate ,
then advanced certificate request. , Create and submit a request to this CA.-> Certificate Template: tried administrator , user and auth. session -> left everything default and only enabled "Store certificate in the local computer certificate store..." Installed certificate ! Same error , 786.
ParanormasticCryptographic Engineer

Which certificate template are you selecting?  Is it actually called IPSEC or IPSEC (Offline), or something else?  This is a special certificate type that needs to have the enhanced key usage "IP security IKE intermediate", which other cert types will not normally have.


These are templates to choose:
Authenticated session
Basic EFS
EFS recovery agent
Subordinate Certitication atuthority
Web Server

I have tried administrator, user and authenticated session!
Cryptographic Engineer
Ok, you need to open up the Certification Authority MMC and select the Certificate Templates folder, right click - New - Template to issue - select either IPSec or IPSec (Offline), depending on what you feel meets your situation best.  Wait up to 15 minutes for it to replicate in AD, then try again using this template.

If you don't like the default settings, open Certificate Templates MMC and duplicate the IPSec template and adjust as desired, just don't mess with the Extensions tab, then go through and issue that to the CA as described above.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Still same msg:  error 786!
Why under templates (Certification Authority MMC) i see IPSEC but i cannot choose it when requesting certificate and under advanced request i dont jave option "Submit a certificate request to this CA using a form" instead i have this:
Create and submit a request to this CA.
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.

ParanormasticCryptographic Engineer

Try using IPSec (Offline) instead.  Also make sure you have at least Read and Enroll permissions on that template (cert templates mmc) for the user accont.  

Here is a general walkthrough of the process - hopefully something in here will stick out:
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.