USG FLEX 200: is 2FA (Google Authenticator) supposed to work on L2TP vpn?

valerio_vanni
valerio_vanni Posts: 116  Ally Member
5 Answers First Comment Friend Collector Third Anniversary
edited November 22 in Security

Is 2FA supposed to work on L2TP vpn?

I did some test and it didn't work.

The tunnel goes up, and traffic starts to flow. Even if the user doesn't go through 2FA process.

Accepted Solution

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,199  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @valerio_vanni

    As we discussed in private messages, it seems the 2FA feature for the L2TP VPN connection hasn't been enabled yet. Please navigate to CONFIGURATION > Object > Auth. Method > Two-factor authentication > VPN Access and check the box to activate 2FA for L2TP VPN access.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

All Replies

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    I have only ever got 2FA woring by Email you need to enable it in

    config > object > Auth. method > two-factor authentcation

  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    I changed the subject, since it comes from another thread, and perhaps it was not clear that I was talking about 2FA with Google Authenticator.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,199  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    edited November 25

    Hi @valerio_vanni

    Are you setting up 2FA (Google Authenticator) for VPN access using local users on your firewall? If so, you can follow the configuration steps outlined in this guide:

    For SSL VPN or L2TP VPN, please note that users must manually enter the correct URL in their browser to input the verification code. For example: https://YourDeviceIP:8080. However, if you are using the Zyxel VPN Client to establish the VPN tunnel, the authentication page will pop up automatically in the browser.

    If you've already followed these steps and are still experiencing issues with 2FA on your L2TP VPN, could you provide us with the following details to assist you further?

    1. Firmware Version: What is the firmware version of your USG FLEX 200? Please ensure it's updated to the latest version.
    2. Affected Users and Logs: Which user(s) are encountering the issue? Are there any relevant logs on your firewall? Sharing a screenshot of these logs would be helpful.
    3. Startup Configuration: Please download the startup-config.conf file from your device and share it with us via private message for further analysis.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Firmware is latest, 5.39v1.

    All tests have been done with the same user.

    Initial state:

    I already use 2FA with ipsec vpn and it works.

    I already use L2TP vpn and it works too, but without 2FA.

    The configuration change was simply to enable, in VPN gateway used for L2TP, "

    Enable Two-factor Authentication" option.

    I expected that, after, 2FA was activated.

    Instead, all remained as before. L2TP tunnel goes up, and it's already available. Traffic can flow.

  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    In logs, when user connects to L2TP VPN (Android 11 native vpn connection)

    I find these entries:

    notice

    User

    User vpn1(MAC=) from l2tp has logged in Device

    source: private ip of client

    notice

    User

    User vpn1(MAC=) from l2tp has logged in Device

    source: public ip of client

    info

    L2TP Over IPSec

    User vpn1 has been granted an L2TP over IPsec session.

    zywall public ip:1701

    android public ip:40654

    And then traffic flows, i.e I can ping from client to LAN1.

    No second factor required.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,199  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @valerio_vanni

    I recently created a user on my USG FLEX firewall and enabled 2FA using Google Authenticator. I also configured Two-Factor Authentication for VPN access, following all the steps outlined in the post mentioned above.

    When establishing an L2TP VPN connection, I need to manually access the correct URL (e.g., https://YourDeviceIP:8008) in a browser to input the verification code; otherwise, the VPN tunnel does not establish successfully.

    If you’ve followed the steps in that post to configure 2FA (Google Authenticator) for your L2TP VPN but find that traffic is still passing through without 2FA, please download the startup-config.conf file from your device and share it with us via private message for further analysis.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Thank you. I'll do some more test and then I'll send you config file.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,199  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @valerio_vanni

    As we discussed in private messages, it seems the 2FA feature for the L2TP VPN connection hasn't been enabled yet. Please navigate to CONFIGURATION > Object > Auth. Method > Two-factor authentication > VPN Access and check the box to activate 2FA for L2TP VPN access.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Now it works, I missed that setting. Thank you.

    Instead, I had activated 2FA in vpn tunnel properties (that, I see now, it doesn't matter).

Security Highlight