Hi Markus,
But: I have the demand to use 2FA (especially OTP) to increase the security of the VPN access. And that's my very You quickly run into technology limitations. i.e. "I want to do X, but the underling protocols don't support it". you are using Windows' native IPsec client? This will indeed want to talk MS-CHAPv2 with no 2FA hook I know of.
If you can use some other VPN client (and perhaps server), there's a way to add e.g. PricayIdea "transparently" to the VPN. The 2FA has a fixed length (or one of several, PI can return the value). A colleague wrote a python addon to enhance OpenLDAP to be able to split a long password consisting of the normal password+2FA. So the VPN client provides the concatenated PW, the addon forwards it to PI. Back comes the cutoff length along with PI's verdict on the 2FA. The addon then tests the stripped password against LDAP. The VPN is Cisco (ASA+Anyconnect/openconnect) in our case. Neither Anyconnect nor the ASA need to have any idea about the nature of the password the are transferring. Of course, this works for every service that forwards a password to RADIUS or LDAP (except they want to transfer the password twice ...). Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg