Hello, When I researched for VPN solution for my company, IPsec was not an option. Then IKEv2 was an option but yet met our requirements.
We chose from several SSL VPNs which also support ESP or UDP transport. The key requirement IKEv2 doesn't meet is MFA functionality and flexibility. Also, split dns functionality is missing. The MFA we finally implemented is like 1. Users first authenticate themselves with username & password 2. according to the user's security group, another OTP authentication step is needed or not. For users that OTP is needed, OTP authentication is prompted or skipped if (the device,the user) tuple was authenticated recently (i.e. 24 hours) * We could not get unique device id, so IP address and username are used as the tuple. However we prefer to a generated permanent device id by vpn client, the device's manufacturer-assigned id (or derived hash if privacy is a concern), or time-limited http-cookie-like id generated and returned by authenticator. Our flexible 2FA authentication is implemented using RADIUS challenge. The principles are 1. username & password authentication is used to integrated with central user management. For ease of use, VPN client should be capable of store password securely in device 2. authenticator controls the remaining authentication steps, and decides which step should be done or be skipped. Current IKEv2 doesn't provide an EAP authentication method to support such flexible MFA use case. And in the new charter, there is no goal of the kind. IMHO, flexible MFA is most important for large scale enterprise deployment. Please add it as a goal. Regards, Wang Jian _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
