Odd 2FA Security Issue With The USG40

JCE Posts: 12
First Comment Friend Collector Second Anniversary


I have a USG40 with latest firmware.

I have just set it up as a VPN server using IKEv2 using the below guide


I am using the built in VPN client in Windows 10 Pro

All is working fine but I wanted to add 2fa to the VPN logins.

I have done so and again all works fine the vpn client connects but you cant ping anything behind the USG40 until you have clicked the Authorization email sent from the USG40

Again all works fine.

But I noticed (and i thought at first i was seeing things and had clicked the Authorization email by accident) sometimes if left without clicking the 2FA email it would start pinging the lan behing the USG 40.

This is very random but I would say about 1 in 5 connections if left waiting eventually give access to the Lan without acknowledging the 2FA email.

Is this something I have done wrong or is it a flaw ?

Any thoughts and many thanks

All Replies

  • JCE
    JCE Posts: 12
    First Comment Friend Collector Second Anniversary
    edited March 3

    Not sure why link did not show but its here


  • StefanZ
    StefanZ Posts: 71
    First Answer First Comment Friend Collector
     Ally Member

    I would guess, that maybe the former session/s get cached and since it's the same client/machine the credentials are still valid? Or the 2FA has a general grace period per user/machine?

    Are the links you receive maybe even the same?

    I would try logging in, clicking the 2FA, logging out immediately, logging in, compare the links.

    Next I would try different clients and see if the 2FA can be skipped with those too.

    If it just applies to the same client, the real world implications would exist, but the chances of exploiting this are very slim.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,174
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
     Zyxel Employee

    Hi @JCE,

    Can you test again and check if the IP shows up in twofa-ipsec-ip? It should be listed in twofa-ipsec-ip before clicking the authorization email.
    Once you click the authorization email, it will be delisted from twofa-ipsec-ip.

    Here are the steps:

    1. Connect the VPN client.
    2. Type the CLI command "debug system ipset" to check if the VPN client's IP address is listed in twofa-ipsec-ip."

    Name: twofa-ipsec-ip
    Type: hash:ip
    Revision: 3
    Header: family inet hashsize 1024 maxelem 65536
    Size in memory: 16496
    References: 2
    X.X.X.X <= You should be able to see the IP address in the member list before clicking the authorization email

  • JCE
    JCE Posts: 12
    First Comment Friend Collector Second Anniversary

    Thank you will set the system up again and try the above suggestions. Many thanks

Security Highlight