IKEv2 + Client Certs + Radius possible?



  • Hi all,

    Our current client VPN setup is OpenVPN through pfSense, with auth done through Radius (backed by active directory), and also with client cert matching turned on so the server makes sure the client has a valid cert with a cn that matches their username. This provides me with a nice level of comfort that someone has to have the client cert as well as the client username and password to try to get onto the system.

    For various reasons, we're looking at IKEv2 as an alternative to OpenVPN. I've searched, but haven't been able to find out if a similar configuration is possible with IKEv2 on pfSense as I have with OpenVPN. That is, I would like to use my radius servers for username/password as well as require a client cert with a matching cn. If that isn't possible, is using radius with certs only a possibility? I'd like to stick with radius, as even though we don't have much employee turnover, it's nice to have a central auth mechanism.

    Thanks much!


  • Rebel Alliance Developer Netgate

    At the moment I don't believe that is possible. Last I saw, the code for IKEv2 with EAP in strongSwan only worked with users entered directly into the Pre-Shared Keys tab on IPsec.

    It's something we'd like to see working eventually though.


Log in to reply