What protocol does IKEV2 VPN use?
I have IKEv2 VPN working fine with Windows 10 IKEv2 client when using only RADIUS and no Duo. My NPS server is set to use only MSCHAPv2 and not EAP-MSCHAPv2, so I don’t think that lack of EAP-MSCHAPv2 support is the issue, i.e., IKEv2 VPN connects without it in my NPS server settings.
When I throw Duo into the mix, I try to log into the IKEv2 VPN, I get the prompt on my phone and allow it, and the VPN rapidly says “Cannot connect to…” my IKEv2 VPN name. In FSM traffic monitor (with Authentication set to Debug level), I get:
2020-03-08 21:15:11 admd msg=Authentication of MUVPN user [[email protected]] from 172.112.x.y was accepted msg_id=“1100-0004” Event
2020-03-08 21:15:11 iked msg=ike2_StoreMSCHAPv2Result: Received authentication result does not have the expected content Debug
What does “Received authentication result does not have the expected content” mean? I have no idea and Google searches come up with nothing helpful.
Can Duo work with an IKEv2 VPN that works fine using only MSCHAPv2 for a plain-RADIUS connection?
I asked Duo support about using Duo with WatchGuard IKEv2 and they say WG uses EAP-MSCHAPv2, and Duo is not compatible with EAP-MSCHAPv2. Duo IS compatible with MSCHAPv2. They asked, “Is it certain that the WatchGuard IKEv2 VPN isn’t using EAP-MSCHAPv2?” I don’t think it is certain because the log line says "iked msg=ike2_StoreMSCHAPv2Result", which to me indicates it is indeed using plain MSCHAPv2
The WatchGuard firewall sees the authentication successfully, but it appears to be missing some mystery content when it is sent back to the firewall. I don’t know what the “expected content” is supposed to be.
I am at a loss to figure it out.