You can use a preshared key instead of a digital certificate for Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPsec) authentication of your virtual private network (VPN) clients. Preshared keys do not require a public key infrastructure (PKI) for deployment, but they are a weak authentication method. You can increase the security of your preshared key deployment by encrypting the preshared key with a personal identification number (PIN), which your users must enter before the connection profile can be installed.

Security Note

We recommend that you do not use preshared keys because they are not considered secure.


The Configure a Preshared Key page appears in the wizard only if you specified to use one in a VPN entry on the Create or Modify a VPN Entry page. To use a preshared key, edit the entry on that wizard page, and on the Security tab, click Advanced. On the L2TP tab, select Use a preshared key.

Setting Description

Type preshared key

Specifies the encryption key that both the server and client use to begin their L2TP/IPsec session. The string must be at least 8 characters, and no longer than 256 characters. You must get the key from the administrator of the VPN server. We recommend that you use a very long key, and that you encrypt it by using the PIN option below.

Encrypt the preshared key using a PIN

Specifies that the preshared key is itself encrypted in the connection profile, and that the connection profile can only be installed by entering the supplied PIN. The PIN can be alphanumeric characters, must be at least 4 characters, and no longer than 15 characters. Type the same characters in both text boxes.

After you place a key in the connection profile and navigate to a different page, the key will no longer be displayed. To change the key used in a profile, click Replace Key, and then enter the new key in the Type preshared key text box.

For more information about using preshared keys, see Including a Preshared Key ( the Microsoft Web site.

Additional references