2FA Remote Access VPN (Flex 200H V1.32(ABWV.0) )

Danee

Hi!

My client has a Flex 200H V1.32(ABWV.0) firewall and we - the network administrators - are using/enabling IPSec VPN for the networks users to access the network remotely.
(Also using SSL VPN with OpenVPN.)
From the beginnings we used "native clients built into Windows" in win10/11 for "home office" users.
They are downloadable (from the firewall GUI) configurations for windows and macOS. It needs user name and password after the VPN is installed as the 1st authentication.
Without the 2nd authentication nor internet, nor the client's intranet worked for anyone who did the 1st authentication, except for an intranet site (firewall LAN address plus port number: 192.168.X.X:XXXX) was available for the 2nd authentication.
After the 2nd authentication both internet and full intranet became available.

But since yesterday (2025.06.02.) the 1st authentication enables both the internet and the intranet without the 2nd authentication.
How is this possible?

PeterUK

It does look like it should not be possible

if you go to VPN status > IPSec VPN > remote access VPN can you disconnect everyone? then test again

Danee

https://community.zyxel.com/en/discussion/comment/77874#Comment_77874

I can/could disconnect anyone from there, and they can/could reconnect the same - non 2FA - way
with access to both inter- and intranet.

Zyxel_Melen

Hi @Danee,

I can replicate this issue in my lab. We are investigating this issue, and I will update once I get further information.

Muscom

This is clearly a serious security issue, and I think Zyxel needs to fix it soon to ensure the 2FA feature works properly, giving users more peace of mind when using VPN remotely.

https://community.zyxel.com/en/discussion/comment/77890#Comment_77890