This is a sister question of Is EAP-MSCHAP v2 secure?.
Based on my understanding, IPsec should have authenticated the server (we're using PKI) and secured the rest of the protocols before the user authentication takes place, so there's no need to use PEAP (for L2TP/IPsec) right? (I.e. plain MSCHAPv2 should provide adequate protection for the passwords in this case?)
I think you are correct but it would be nice to know for sure. Microsoft KB article (2743314) dealing with MS-CHAP in PPTP-
Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure
Expand Suggested Actions and it says:
Or, as an alternative to implementing PEAP-MS-CHAP v2 Authentication for Microsoft VPNs, use a more secure VPN tunnel
If the tunnel technology used is flexible, and a password-based authentication method is still required, then Microsoft recommends using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication.
