To get an IPSec link going to the NAP of choice, you'll need to generate an X.509 certificate, as that is the preferred way of exchanging public keys. The reason why this is easier is that with some luck it will be an automatic process, provided the IPSec peers know the DN's of eachother.
Generating a private key and the belonging X.509 certificate request (i.e. public key which needs to be acknowledged) is done with openssl using the following command:
openssl req -newkey rsa:2048 -keyout myKey.pem -out myReq.pem
After putting in some details which are later coded into the certificate as asn1dn, a passphrase will be asked to protect the generated private key file: myKey.pem. The “myReq.pem” file is the certificate request (read: public key) which needs signing by a Certificate Authority, preferably the one designated for VLAN. Send the request to the appropriate CA administrator for signing, and (s)he'll return you as soon as possible with the X.509 certificate. You can also sign your own certificate when you have your own CA. Setting up your own CA and signing requests is beyond the scope of this document. For more information on this subject, see the References section.
The CA will return you with a couple of files, being:
Your signed X.509 certificate
The root CA X.509 certificate
The Certificate Revocation List, or CRL
These files only need copying to the proper location so your IPSec implementation can find it. Depending on the format your CA provided the files, you might need to convert back and forth between DER and PEM. See the openssl manual for more information (`man x509`). Note: The .cer file format Windows will accept is a DER formatted certificate.
[ToDo] Figure out how to generate a request in a Windows host.