IKEv2 VPN for Mobile Clients using Mutual Certificate + XAuth
-
The documentation describes the use of Mutual Certificate + XAuth as an authentication setup for IKEv1. Seen here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure.html
The section states:
"Mutual Certificate+Xauth
Used with mobile IPsec and IKEv1, this selection enables xauth username and password verification along with certificate authentication using certificates on both the client and server."
I would like to know if anyone has used this auth scheme with IKEv2?
The background of this question is, I am using another firewall product now and we are looking to switch entirely to pfSense. We have a regulatory compliance requirement to have two factors of authentication of anything that grants access to sensitive information. Mobile VPN connections qualify. My current firewall product allows us to utilize client certificates + active directory username / password authentication as our two factors. I need that, or something equivalent, in order for pfSense to be a possibility for us to switch entirely.
I am willing to look at different authentication factors as well, if necessary. Our software clients are currently just Windows 10 built in clients. I have a small number of iOS users that I would like to have VPN connections for, but this is more of a nice to have than a requirement. If we need to install software clients aside from the Windows 10 built in client, that's ok. I would be willing to entertain the idea of deploying OpenVPN clients if that's a better solution than the built in IKEv2 setup to achieve two factors of authentication.