We are building out a version of our software that uses Windows L2TP
VPN to (hopefully) establish a 168-bit 3DES VPN connection between a
client and a server.

What I need to know is this:

When setting up a client for the first time is it REQUIRED that you
either 1. perform a standard certificate request and then install that
certificate or 2. use a pre-shared key?

Let me rephrase just for clarification.  I do not want to have to mess
with setting up certificate services, nor do I want to pre-share a
key.  I have read quite a bit on Microsoft's web site about L2TP and
in some places it seems clear that you MUST use certificates or
pre-shared keys and in other places it seems equally clear that you
can use IKE to automatically gernerate session keys without having to
preinstall anything.

I think I am missing a basic fundamental here.  Based on the answer to
this question, I will then write a more valuable question (like a
how-to).

So, I think, the basic question is simply:  Can windows L2TP negotiate
a IPSec/3DES vpn connection WITHOUT the necessity of manually
installing a certificate or distributing a pre-shared key of some
sort?

Please provide a little bit (this is the cheap question) of background
backing up what your answer (preferably not from Microsoft's site, as
I have combed over it pretty throughly already), and be ready for my
NEXT question!

Thanks a bunch guys & gals, this is a great service!