Hello everyone ! I have a need to have extra security with IPSec between two computers runing Windows Server 2003 or XP or Vista or Seven. (I have WS2003 and XP) I want to use certificate-based authentication for IPSec and have my certificates (with private part) stored on smart card or token. It's working fine when certificates are stored in Windows but when I put one of the certificates into token (SafeNet iKey 1000) it's no longer works. Certificates was enrolled without choosing "Enable strong private key protection " and with option "Store certificate in the local computer certificate store ". iKey token utility always requests a password for certificate store (when applying certificate stored on iKey) and a password must be minimum of 4 characters. Does anyone have such solution working (may be with different hardware)? Or what may be a source of the problem?

In IPsec only computers are authenticated. So you must place certificates with corresponding private keys in computer store. You cannot store computer certificates on smart cards. If this is something like HSM, you probably will need contact crypto device support.http://www.sysadmins.lv

Thank you for your answer, Vadims <abbr class="affil" /> . Can I than use smart-card with user certificate in L2TP/IPSec VPN scenario ?

in L2TP/IPsec VPN scenarios you must have at least computer certificates. They are used to authenticate peers and estabilish a secure tunnel. Since VPN introduces user authentication (that is actually on the higher level than IPsec tunnel) you may configure VPN server to require smart cards for user authentication. In that case you need configure authentication protocols to EAP-TLS as follows: http://technet.microsoft.com/en-us/library/cc784383(WS.10).aspx note that user certificates do not replace computer certificates, so you must have 2 set of certificates: computer certificates to estabilish L2TP tunnel and user certificates to authenticate user.http://www.sysadmins.lv