ATP + VPN + MFA

NEP
NEP Posts: 72  Ally Member
First Comment Friend Collector Second Anniversary
edited December 2023 in Security

Hello,

We are currently testing an IPSec VPN for mobile. Right now we use the SSL VPN with our desktop clients. Anyway, we are wondering if it's possible to use MFA with both of these? I performed a search in the community and didn't find much information, at least for IPSec. I did find something that seemed to be for the SSL VPN but have struggled to implement it.

A similar question was posed here quite a while ago but it remains unanswered.

Is this something that is possible? If so, is there any documentation you can point me to? If not, is it possible that you guys will implement it? Or is there something else that we should be implementing?

Side note, I have MFA set up for Admin access to the firewall, so at least that is possible and works well.

Anyway, thanks for your help.

Edit: I was looking at the documentation for setting up the VPN on Android using StrongSwan. The note says, "The VPN settings for Non-SecuExtender IPSec VPN Clients do not support following features: Upload Bandwidth Limit, Spilt Tunnel, and Two-factor Authentication (Google Authenticator)". Is this correct?

Accepted Solution

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓

    Hi @NEP ,

    For IPSec (IKEv2) VPN + Windows/macOS/Android StrongSwan client + Google Authenticator.

    The VPN use need to open browser manually to the MFA URL, after VPN connected.

    In this example, the URL is setup to LAN interface IP (192.168.10.1) of my ATP with default port 8008.

    The MFA URL will be http://192.168.10.1:8008/

All Replies

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓

    Hi @NEP ,

    For IPSec (IKEv2) VPN + Windows/macOS/Android StrongSwan client + Google Authenticator.

    The VPN use need to open browser manually to the MFA URL, after VPN connected.

    In this example, the URL is setup to LAN interface IP (192.168.10.1) of my ATP with default port 8008.

    The MFA URL will be http://192.168.10.1:8008/

  • NEP
    NEP Posts: 72  Ally Member
    First Comment Friend Collector Second Anniversary

    I don't recall marking this as answered, but I do have it working with SecuExtender SSL and MS Authenticator. Thanks @zyman2008.

    I had edited the original post about a note that I saw. Are you aware of Non-SecuExtender IPSec VPN Clients not supporting MFA? I would consider the SSL VPN to be one such client (based on name) and yet it works. However, I'm mainly thinking of the built-in Windows VPN and Android.

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Windows built-in L2TP over IPSec can support with External RADIUS service that support 2FA.

    All using external 2FA service. You don't need to enable 2FA settings on ZyWALL.

    The password is in the format(Append second factor code after first factor user password): password,code

    I had helped a client integrate ZyWALL with AD + Duo 2FA.

    https://duo.com/docs/radius

Security Highlight