Getting "vpn connection authorization fail or authorize link expired" using Google Auth with IPSec

ChipConnJohn
ChipConnJohn Posts: 44  Freshman Member
First Anniversary 10 Comments Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula
Hello all,

We have been using an IKEv2 VPN connection with just 2 users for a few weeks now.  We have Google Auth for 2FA.  It was working fine.  Now, every time we enter a Google Auth code we get "vpn connection authorization fail or authorize link expired."  Nothing has changed.

I'm still able to use a Google Auth code to log into the device as Admin.

Anyone seen this?  Have any suggestions?

Accepted Solution

«1

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Could you give me the remote access of the web GUI of your device to check this issue remotely? Please send the wan IP address and login information to me in private message. Thanks! :)
  • LukSaf22
    LukSaf22 Posts: 1
    Hi,
       same problems with Google Auth on IKEv2 connection. This issues appear on different devices models, ATP 200 or USG100. First times after vpn connection setup , connection with Google Auth works ok, but after some days error "vpn connection authorization fail or authorize link expired" appear after input code received from Google Auth app. Because of this issue, we use as backup authentication mail authentication, which is not very secure if email is installed on same laptop where connection vpn is used.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Please check your private message if you'd like to find out the cause of this issue.  :)
  • ITemi
    ITemi Posts: 4
    Friend Collector First Comment

    Hi,

    Hi have the same problem. Did you find any solution? Would appreciate any suggestion how to solve this issue.

    thx

  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    First Anniversary 10 Comments Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula

    in this case it was an error in the firmware. MFA was getting turned off on reboot of the device. Something I discovered when looking at a backup config. There was a “no MFA” line at the bottom of the IKE config that would persist even when MFA was turned on. This was fixed in a firmware update about a year ago.

    So, the Google Auth failure was due to the MFA setting being turned off after a reboot.

  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    First Anniversary 10 Comments Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula

    Well, I just had a use have this problem and the MFA was still turned on. I have to investigate this later today. Ugh. They did seem to be at least partially connected even though MFA failed. (pings worked to servers)

  • [Deleted User]
    [Deleted User] Posts: 0  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer

    Hi ChipConnJohn,

    What firmware do you have? Because the newest weekly (datecode) firmware has a fix for MFA on 5.36.

    You can find it here:

    https://support.zyxel.eu/hc/en-us/articles/360005438274-Weekly-Firmware-Support-Version-Lab-Version

    Thanks!

  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    First Anniversary 10 Comments Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula

    Hi Andreas,

    I updated to the weekly firmware and it's still not working. Getting Auth Failed message.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ITemi ,

    What is your device model? i will send you firmware in PM.

  • ITemi
    ITemi Posts: 4
    Friend Collector First Comment

    Hi @Zyxel_Cooldia

    I have Zyxel ATP200 with the latest FW V5.36(ABFW.0).
    Do you have a newer version of the firmware?

    Thx

Security Highlight