USG FLEX 200: is 2FA (Google Authenticator) supposed to work on L2TP vpn?

valerio_vanni
valerio_vanni Posts: 95  Ally Member
First Answer First Comment Friend Collector Second Anniversary
edited November 22 in Security

Is 2FA supposed to work on L2TP vpn?

I did some test and it didn't work.

The tunnel goes up, and traffic starts to flow. Even if the user doesn't go through 2FA process.

All Replies

  • PeterUK
    PeterUK Posts: 3,399  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    I have only ever got 2FA woring by Email you need to enable it in

    config > object > Auth. method > two-factor authentcation

  • valerio_vanni
    valerio_vanni Posts: 95  Ally Member
    First Answer First Comment Friend Collector Second Anniversary

    I changed the subject, since it comes from another thread, and perhaps it was not clear that I was talking about 2FA with Google Authenticator.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,115  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    edited November 25

    Hi @valerio_vanni

    Are you setting up 2FA (Google Authenticator) for VPN access using local users on your firewall? If so, you can follow the configuration steps outlined in this guide:

    https://community.zyxel.com/en/discussion/12505/how-to-use-two-factor-with-google-authenticator-for-vpn-access

    For SSL VPN or L2TP VPN, please note that users must manually enter the correct URL in their browser to input the verification code. For example: https://YourDeviceIP:8080. However, if you are using the Zyxel VPN Client to establish the VPN tunnel, the authentication page will pop up automatically in the browser.

    If you've already followed these steps and are still experiencing issues with 2FA on your L2TP VPN, could you provide us with the following details to assist you further?

    1. Firmware Version: What is the firmware version of your USG FLEX 200? Please ensure it's updated to the latest version.
    2. Affected Users and Logs: Which user(s) are encountering the issue? Are there any relevant logs on your firewall? Sharing a screenshot of these logs would be helpful.
    3. Startup Configuration: Please download the startup-config.conf file from your device and share it with us via private message for further analysis.

    Kay

    Untitled Image

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP! https://bit.ly/2024_Survey_Community

  • valerio_vanni
    valerio_vanni Posts: 95  Ally Member
    First Answer First Comment Friend Collector Second Anniversary

    Firmware is latest, 5.39v1.

    All tests have been done with the same user.

    Initial state:

    I already use 2FA with ipsec vpn and it works.

    I already use L2TP vpn and it works too, but without 2FA.

    The configuration change was simply to enable, in VPN gateway used for L2TP, "

    Enable Two-factor Authentication" option.

    I expected that, after, 2FA was activated.

    Instead, all remained as before. L2TP tunnel goes up, and it's already available. Traffic can flow.

  • valerio_vanni
    valerio_vanni Posts: 95  Ally Member
    First Answer First Comment Friend Collector Second Anniversary

    In logs, when user connects to L2TP VPN (Android 11 native vpn connection)

    I find these entries:

    notice

    User

    User vpn1(MAC=) from l2tp has logged in Device

    source: private ip of client

    notice

    User

    User vpn1(MAC=) from l2tp has logged in Device

    source: public ip of client

    info

    L2TP Over IPSec

    User vpn1 has been granted an L2TP over IPsec session.

    zywall public ip:1701

    android public ip:40654

    And then traffic flows, i.e I can ping from client to LAN1.

    No second factor required.

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)