[quote]
ForIKEv2 machine certificate authentication: Ensure the trusted root certificate store on the VPN Server contains **only** the trust root certificate that matches the trust chain with which the client will send the machine certificate. And you MUST delete all the other trust chain on the VPN Server – to avoid any malicious client machine having a certificate with one of those trust chain to be able to successfully connect to this VPN server using IKEv2 machine certificate authentication.
[/quote]
Is this still true with a Windows 2008 R2 SP1 RRAS server?
If so, IKEv2 behaves quite differently than the IPsec AuthN in the L2TP/IPsec VPN solution where the client must present a certificate from the same Root CA as the RRAS server.
Thanks,
Stefaan