Odd 2FA Security Issue With The USG40
I have a USG40 with latest firmware.
I have just set it up as a VPN server using IKEv2 using the below guide
I am using the built in VPN client in Windows 10 Pro
All is working fine but I wanted to add 2fa to the VPN logins.
I have done so and again all works fine the vpn client connects but you cant ping anything behind the USG40 until you have clicked the Authorization email sent from the USG40
Again all works fine.
But I noticed (and i thought at first i was seeing things and had clicked the Authorization email by accident) sometimes if left without clicking the 2FA email it would start pinging the lan behing the USG 40.
This is very random but I would say about 1 in 5 connections if left waiting eventually give access to the Lan without acknowledging the 2FA email.
Is this something I have done wrong or is it a flaw ?
Any thoughts and many thanks
Not sure why link did not show but its here
I would guess, that maybe the former session/s get cached and since it's the same client/machine the credentials are still valid? Or the 2FA has a general grace period per user/machine?
Are the links you receive maybe even the same?
I would try logging in, clicking the 2FA, logging out immediately, logging in, compare the links.
Next I would try different clients and see if the 2FA can be skipped with those too.
If it just applies to the same client, the real world implications would exist, but the chances of exploiting this are very slim.1
Can you test again and check if the IP shows up in twofa-ipsec-ip? It should be listed in twofa-ipsec-ip before clicking the authorization email.
Once you click the authorization email, it will be delisted from twofa-ipsec-ip.
Here are the steps:
- Connect the VPN client.
- Type the CLI command "debug system ipset" to check if the VPN client's IP address is listed in twofa-ipsec-ip."
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16496
X.X.X.X <= You should be able to see the IP address in the member list before clicking the authorization email1
Thank you will set the system up again and try the above suggestions. Many thanks0
- 8.4K All Categories
- 1.6K Nebula
- 70 Nebula Ideas
- 57 Nebula Status and Incidents
- 4.5K Security
- 226 Security Ideas
- 981 Switch
- 46 Switch Ideas
- 872 WirelessLAN
- 22 WLAN Ideas
- 5.1K Consumer Product
- 156 Service & License
- 280 News and Release
- 97 Success Stories
- 59 Security Advisories
- 13 Education Center
- 579 FAQ
- 262 Nebula FAQ
- 160 Security FAQ
- 76 Switch FAQ
- 74 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 69 About Community
- 46 Security Highlight