[ATP/FLEX]How to configure the remote client VPN with 2FA on USG FLEX in Nebula?

Zyxel_Chris Posts: 700  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited June 2023 in VPN
IPSec VPN client with 2FA 

1.  Navigate to Configure > Firewall > Remote Access VPN and activate “Two-factor 
authentication with Captive Portal” 

2.  Go to Orgnization-wide manage > Cloud Authentication to create the VPN client, check the allowed to use Remote VPN and send the information to user. 

3.  Go to check the email and click the link

4.  After the login then activate the Google authenticator, then use your mobile phone to scan the QR code to install. Don’t forget to download the backup code in case lost 
the phone. 

5.  Configure the Zyxel VPN client then right click IVE_V1 and click “New VPN Gateway” 
Phase 1. 

Remote Gateway is NSG WAN IP address. 

The Cryptography is same as the setting in Nebula policy.   

In Protocol tab, activate the Mode Config 

Phase 2 
Create the phase 2 setting “New VPN connection” 

Configure the Remote LAN address/subnet as, and ESP as same as the policy 
setting in Remote VPN policy. 

6. In scripts, configure 2FA portal page on the Automation tab. “When tunnel is open input the URL with 
Note: The URL IP address is USG FLEX LAN 1 IP. (In this case is 

7.  Find your LAN1 IP address in Configure > Firewall > Interface 

8. Login (Dial up the VPN tunnel) 

X-auth windows pop up 

Then the authentication page will auto pop up. 
Open the Google authenticator in your mobile phone and enter the passcode. 

Login successful.