Creating a Public Key Infrastructure (PKI) for L2TP
with IPSec Support
As previously mentioned, it is wise to deploy a certificates-based approach to L2TP VPN
connections to maintain the highest levels of security and control over VPN access. To
deploy this type of environment, a Public Key Infrastructure (PKI) must be set up. PKI
provides a mechanism by which individual encrypted certificates are distributed to individual
computers to validate their identity.
NOTE
Remember that L2TP/IPSec requires the ISA server??™s public interface to be directly
addressed??”not behind any type of Network Address Translation (NAT)??”for this type of
VPN connection using PKI certificates to take place. The one exception to this case is if
the systems providing the network address translation capability are compliant with the
recent RFCs for NAT traversal (RFCs 3947 and 3948). Because this is a relatively new
technology, it may take a few years for common acceptance of this practice, however.
PKI environments can be set up in a number of ways, with Microsoft and third-party
products providing for robust implementations. The Microsoft implementation of PKI is
250 CHAPTER 9 Enabling Client Remote Access with ISA Server 2006 VPNs
installed on Windows servers and involves the deployment of a Windows certificate
authority.
Pages:
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441