In the first part, we've discussed about using certificate for IKE authentication.
Let's talk now about using pre-shared keys.
Pre-shared keys are a weak authentication method, but they can be useful for testing.
As we have seen, using certificate for IKE authentication can cause some problems.
Having some NAT devices along the path or connecting while we are behind a restrictive firewall can introduce certain issues too.
Pre-shared keys allow us to take a step by step approach in configuring our L2TP/IPsec VPN connections.
For example, we can configure ISA and the Mac L2TP/IPsec VPN clients to use a pre-shared key for IKE authentication, then make a first test while there is no other device(especially a NAT device which might break our connection) between the Macs and ISA. If this test is successful, we know that the second level of authentication (user authentication) is working too. After that we can make a test while the Mac is behind a NAT device(to see if NAT-T is working or if the NAT device is not breaking the NAT-T process).
If this test is successful, we can proceed and configure ISA and the Mac L2TP/IPsec VPN clients to use certificates for IKE authentication, then make a first test while there is no other device(especially a NAT device) between the Macs and ISA. And so on ...
It was a simple process to configure Mac OS X 10.4.8 or Mac OS X 10.4.10 to use pre-shared keys with L2TP/IPsec.
I did not encounter any problems.
Read more...