USG FLEX 200: is 2FA (Google Authenticator) supposed to work on L2TP vpn?
Is 2FA supposed to work on L2TP vpn?
I did some test and it didn't work.
The tunnel goes up, and traffic starts to flow. Even if the user doesn't go through 2FA process.
All Replies
-
I have only ever got 2FA woring by Email you need to enable it in
config > object > Auth. method > two-factor authentcation
0 -
I changed the subject, since it comes from another thread, and perhaps it was not clear that I was talking about 2FA with Google Authenticator.
0 -
Are you setting up 2FA (Google Authenticator) for VPN access using local users on your firewall? If so, you can follow the configuration steps outlined in this guide:
For SSL VPN or L2TP VPN, please note that users must manually enter the correct URL in their browser to input the verification code. For example:
https://YourDeviceIP:8080
. However, if you are using the Zyxel VPN Client to establish the VPN tunnel, the authentication page will pop up automatically in the browser.If you've already followed these steps and are still experiencing issues with 2FA on your L2TP VPN, could you provide us with the following details to assist you further?
- Firmware Version: What is the firmware version of your USG FLEX 200? Please ensure it's updated to the latest version.
- Affected Users and Logs: Which user(s) are encountering the issue? Are there any relevant logs on your firewall? Sharing a screenshot of these logs would be helpful.
- Startup Configuration: Please download the
startup-config.conf
file from your device and share it with us via private message for further analysis.
Kay
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
Firmware is latest, 5.39v1.
All tests have been done with the same user.
Initial state:
I already use 2FA with ipsec vpn and it works.
I already use L2TP vpn and it works too, but without 2FA.
The configuration change was simply to enable, in VPN gateway used for L2TP, "
Enable Two-factor Authentication" option.
I expected that, after, 2FA was activated.
Instead, all remained as before. L2TP tunnel goes up, and it's already available. Traffic can flow.
0 -
In logs, when user connects to L2TP VPN (Android 11 native vpn connection)
I find these entries:
notice
User
User vpn1(MAC=) from l2tp has logged in Device
source: private ip of client notice
User
User vpn1(MAC=) from l2tp has logged in Device
source: public ip of client info
L2TP Over IPSec
User vpn1 has been granted an L2TP over IPsec session.
zywall public ip:1701
android public ip:40654
And then traffic flows, i.e I can ping from client to LAN1.
No second factor required.
0 -
I recently created a user on my USG FLEX firewall and enabled 2FA using Google Authenticator. I also configured Two-Factor Authentication for VPN access, following all the steps outlined in the post mentioned above.
When establishing an L2TP VPN connection, I need to manually access the correct URL (e.g.,
https://YourDeviceIP:8008
) in a browser to input the verification code; otherwise, the VPN tunnel does not establish successfully.If you’ve followed the steps in that post to configure 2FA (Google Authenticator) for your L2TP VPN but find that traffic is still passing through without 2FA, please download the
startup-config.conf
file from your device and share it with us via private message for further analysis.Kay
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
Thank you. I'll do some more test and then I'll send you config file.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.6K Security
- 240 USG FLEX H Series
- 268 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 386 News and Release
- 83 Security Advisories
- 28 Education Center
- 9 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 72 Security Highlight