IKEv2 VPN clients and 2FA

Markus Winkler ml at irmawi.de
Wed Nov 16 15:20:34 UTC 2022

Hi Brian,

On 14.11.22 15:43, Brian Julin wrote:
> Instead, launch the 2FA query during RADIUS authentication, and bring up the IPSec tunnel but filter
> all packets with iptables.  Then when the 2FA is approved, alter the iptables rules to allow access.

nice idea, thank you. :-)

But I think in the end

> Throwing 2FA with its own set of timeouts and protocol failure points into the fray of establishing
> an IPSec-RA connection is IMO just asking for a claptrap of hard-to-diagnose problems.

you're right: too many possible problems. I really need a robust solution. 
Let's see.


More information about the Freeradius-Users mailing list