Using Certificates for Windows 2000 and Cisco IOS VPN Interoperation

ID: Q249125

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional

SUMMARY

Windows 2000 can use a computer certificate for Internet Key Exchange (IKE) authentication to establish an IP Security (IPSec) tunnel or a Layer 2 Tunneling Protocol (L2TP) over IPSec session. IPSec can use certificates from Microsoft, Verisign, Entrust, Netscape, or any other Certificate Authority (CA).


MORE INFORMATION

IKE can use a variety of certificates that meet the following criteria:

  • The certificate's signature type is RSA/MD5 or RSA/SHA1.


  • The private key is valid.


  • The validity period has not expired.


  • The certificate is obtained by using proper enrollment procedures.


  • The certificate and its private key are stored in the personal certificate store for the computer account.


  • The certificate has a trusted root certificate stored in the trusted root store for the computer account.


Each host involved in the creation of the tunnel must have a certificate that is used to authenticate each host. Each host must trust the entity that issues the certificate to the other host. This entity is typically referred to as the CA. In Windows 2000, trust in a CA is established when you have a copy of the root certificate in the trusted root CA's store.

Cisco Internetwork Operating System (IOS) uses a Cisco proprietary protocol, Simple Certificate Enrollment Protocol (SCEP), to contact a CA to obtain a certificate and install the root certificate trust. This is the only way to obtain a certificate to a Cisco router, and only CAs that support SCEP can be used online to enroll. The resource kit for Windows 2000 Certificate Server allows the Microsoft CA to use the SCEP. This allows Windows 2000 and Cisco IOS to obtain a certificate from the same CA and enables them to establish IPSec tunnels and L2TP/IPSec sessions among themselves using certificates.

The certificate and its private key are stored in the personal certificate store for the computer account in Windows 2000. The certificate has a trusted root certificate stored in the trusted root store for the computer account.

Cisco IOS does not currently support Extensible Authentication Protocol (EAP), so the advanced capability of the Windows 2000 Point-to-Point Tunneling Protocol (PPTP) and L2TP/IPSec clients to use certificate-based user authentication using a smart card is not available.

The third-party products discussed in this article are manufactured by vendors independent of Microsoft; we make no warranty, implied or otherwise, regarding these products' performance or reliability.

Additional query words: smartcard

Keywords : kbenv w2000certsrv w2000tunnel w2000ipsec
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: February 3, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.