A Microsoft Internet Security and Acceleration (ISA) Server 2000 VPN operating over the Internet requires X.509 server certificates for authentication. You need a certificate for each ISA Server and client. To establish a VPN, participants must trust the root Certificate Authority (CA) or CAs that issue the certificates.
If all endpoints are members of the same domain, consider installing Microsoft Certificate Services and using autoenrollment to ease certificate distribution. Installing Certificate Services and generating usable enterprise certificates can be challenging; read the Microsoft article "Step-by-Step Guide to Setting up a Certification Authority" for details. If participants are in different domains, you'll need to acquire third-party certificates from a trusted root authority, such as VeriSign. You won't need to set up Certificate Services or generate certificates, which makes life easier on the front end, but you'll face more labor during certificate distribution, when each machine requests and installs a certificate.
Certificates need to be bound to machines rather than users because you're authenticating the computers in the VPN. You use the Microsoft Management Console (MMC) Certificates snap-in to manage certificates. For more information about certificates, see the Microsoft articles "HOW TO: How to Install/Uninstall a Public Key Certificate Authority for Windows 2000" and "HOW TO: Install a Certificate for Use with IP Security" or read Tom Shinder’s "Configuring Gateway to Gateway L2TP/IPSec VPNs" series, which you can access at http://www.isaserver.org/thomas_shinder.