Using X.509 certificates with L2TP/IPsec avoids the issue with the PSK solution described in the preceding section. However, its usage presents its own challenges. Here are several examples.

• X.509 certificates must be generated using a Public Key Infrastructure (PKI) with a particular certificate authority (CA). This PKI can be either a commercial PKI (for example, VeriSign) or an in-house PKI established using either a commercial product (for example, a PKI appliance) or open-source software (for example, OpenSSL). Setting up an in-house PKI involves complex security issues.
• After the certificates are obtained, there remains the problem of securely distributing the user certificate to each of the remote VPN users. This distribution may involve, for example, physically taking a USB flash drive to the machine of each user and manually transferring the certificate.
• When using X.509 certificates with L2TP/IPsec, the configuration for the Windows VPN client becomes much more complicated than configuration using a pre-shared key. For this reason and the certificate-distribution problem, IT personnel may need to preconfigure user machines for remote access.