How to configure the remote client VPN with 2FA on USG FLEX in Nebula?

Zyxel_Chris
Zyxel_Chris Posts: 426  Zyxel Employee
edited August 27 in Security FAQ
IPSec VPN client with 2FA 

 
1.  Navigate to USG FLEX> Configure> Remote access VPN and activate “Two-factor 
authentication with Captive Portal” 


2.  Go to Organization-wide> Cloud authentication to create the VPN client, check the 
allowed to use Remote VPN and send the information to user. 


3.  Go to check the email and click the link


4.  After the login then activate the Google authenticator, then use your mobile phone to scan the QR code to install. Don’t forget to download the backup code in case lost 
the phone. 


5.  Configure the Zyxel VPN client then right click IVE_V1 and click “New VPN Gateway” 
 
 
Phase 1. 


Remote Gateway is NSG WAN IP address. 


The Cryptography is same as the setting in Nebula policy.   

In Protocol tab, activate the Mode Config 


Phase 2 
Create the phase 2 setting “New VPN connection” 


Configure the Remote LAN address/subnet as 0.0.0.0, and ESP as same as the policy 
setting in Remote VPN policy. 



6. In scripts, configure 2FA portal page on the Automation tab. “When tunnel is open input the URL with https://192.168.1.1/weblogin.cgi?auth_type=vpn 
Note: The URL IP address is USG FLEX LAN 1 IP. (In this case is 192.168.8.1) 



7.  Find your LAN1 IP address in USG FLEX> Interface 


8. Login (Dial up the VPN tunnel) 


X-auth windows pop up 



Then the authentication page will auto pop up. 
Open the Google authenticator in your mobile phone and enter the passcode. 



Login successful. 


Chris
Tagged: