L2TP Certificates in Windows Server 2003

Introduction to L2TP Certificates

L2TP (Layer two Transport Protocol) is the preferred method to secure data over a VPN.  The other alternative, PPTP (Point to Point Tunnelling Protocol) is less secure and slower.  For instance, only L2TP will allow IPSec data encryption.

Topics for L2TP Certificates


L2TP Mission

To make a L2TP VPN connection between a client and server. This turned out to be one of my most difficult configuration tasks in the whole of Windows 2003, it took two of us three days to get it to work.  (We did have other jobs during the three days.)

Getting to first base

The goal here is to get a default VPN working over the LAN.

At the Server

The first stage was easy, configuring RAS on the Windows Server 2003.  right-click the server object, and select the third radio button Virtual Private Network (VPN) and NAT.  Then selected the Network connection, configuring a DHCP scope.

Trap One

The default Remote Access Policy Denies anyone logging in.  Easy change the radio button to = Grant remote access.

Trap Two

Check the test user who will dial-in.  Properties, Dial-in (tab) set to: Allow access or Control access through group policy.  If necessary Raise Domain Level to Windows 2000 native. or Windows Server 2003 native.

At the client

Network connections New Connection

Trap Three

Select ‘Do not dial an initial connection’ – Remember this is a LAN experiment

You should now have succeeded in connecting using a VPN over your LAN, the proof will be a new computer icon low in the navigation area (Systray).

Home run – Connect your VPN using L2TPLDAP Certificates in Windows Server 2003

The problem is – You get error messages when you select L2TP

From the client you select the VPN, Properties, Networking, Type of VPN and change Automatic to L2TP.  You get error 789, 769 or 800.

The solution is – Install a certificate

Note we were using Windows Active Directory CA, if you are using a Stand Alone certificate server the procedure is slightly different.

Trap Four

Do use a client on a different machine.  Whilst you can normally test RAS clients on the server, it does not work for L2TP


  1. From the client request a certificate from the server http://serverIP/certsrv (not certSVR).
  2. Select Advanced Request, Submit a certificate request to this CA using a form
  3. Select Administrator (User is the default).  Leave all the other settings as default.
  4. Scroll down and press – Submit
  5. Install this certificate screen should appear.

Now try to connect using a L2TP VPN. At the client Network Connections, select the VPN, Properties, Networking, Type of VPN and change Automatic to L2TP.

Guy Recommends 3 Free Active Directory ToolsDownload Solarwinds Active Directory Administration Tool

SolarWinds have produced three Active Directory add-ons.  These free utilities have been approved by Microsoft, and will help to manage your domain by:

  1. Seeking and zapping unwanted user accounts.
  2. Finding inactive computers.
  3. Bulk-importing new users.  Give this AD utility a try, it’s free!

Download your FREE Active Directory administration tools.

If you like this page then please share it with your friends


Related topics

Accounts   • Auditing  • IPSec  • Kerberos Tickets  • Windows RIS Server

LT2P and Certificates   • Security Snap-in  • Remote Shutdown