Set up MFA / 2FA for IKEv2 on Flex 200h
Freshman Member
Honestly, I spent huge amount of time to find a correct guide to set up a VPN IKEv2 with MFA on our USG 200h but I had no luck yet. All guides talking about old version of Zywall, the screens are totally different, everything very confusing, tons of options and menus looks different. I would really appreciate if someone can help me to configure it properly.
- IKEv2
- MFA / 2FA via Goole Authenticator (or any other OTP stuff)
- VPN is already working but no MFA configured
Why I can't select the WAN interface?
My assumption is that after connecting to the normal VPN, any WEB access should give me a portal where I can enter the secondary code. Or is that not the case? How it should work? How should I imagine the MFA/2FA with a built-in VPN clients on WIndows/MacOS?
Thank you very much if anyone can shed me a light on this.
Accepted Solution
-
Hi @Smith166
To set up 2FA for Remote Access VPN using IKEv2 on your USG FLEX 200H, you can refer to this guide:
Currently, 2FA functionality is streamlined when using the Zyxel VPN Client (SecuExtender). In this case, after connecting to the VPN, the authentication page will automatically open in your browser. For other VPN clients, you’ll need to manually navigate to the authentication URL (e.g.,
http://yourdeviceip:8008).Feel free to let us know if you encounter any specific issues or need further clarification!
Kay
See how you've made an impact in Zyxel Community this year!
1
Zyxel Employee
All Replies
-
Hi @Smith166
To set up 2FA for Remote Access VPN using IKEv2 on your USG FLEX 200H, you can refer to this guide:
Currently, 2FA functionality is streamlined when using the Zyxel VPN Client (SecuExtender). In this case, after connecting to the VPN, the authentication page will automatically open in your browser. For other VPN clients, you’ll need to manually navigate to the authentication URL (e.g.,
http://yourdeviceip:8008).Feel free to let us know if you encounter any specific issues or need further clarification!
Kay
See how you've made an impact in Zyxel Community this year!
1 -
Hi Kay,
thank you very much, I'm almost there now, it's more clear. That was the key: "For other VPN clients, you’ll need to manually navigate to the authentication URL (e.g.,
http://yourdeviceip:8008)"Might be the last question, do you have any idea why I can't select WAN interface at the delivery settings? Only the LAN interfaces (VLANs) are showing there. This case I can access only the 2FA auth page on the local IP (http://172.16.4.1:8008) after I connected VPN, I suppose without the successful second authentication the authentication page is the only one reachable resource.
0 -
Hi @Smith166
Once a VPN connection is established, the user is considered a VPN LAN client. At this point, accessing the 2FA authentication page must be done via a LAN interface IP (e.g.,
http://yourdeviceip:8008). Without successful secondary authentication, the authentication page remains the only accessible resource.The reason the WAN interface cannot be selected in the delivery settings is that allowing access via WAN would create a potential security risk. If WAN were selectable, external users could attempt to access the 2FA authentication page directly without first establishing a secure VPN connection.
Kay
See how you've made an impact in Zyxel Community this year!
0 -
But you can select WAN on FLEX200 but not on FLEX H?
But in any case the FLEX H for VPN 2FA via Goole Authenticator does not work
Authorize Link URL Address not working at all or correctly — Zyxel Community
0 -
Hi @PeterUK
Considering our huge ZLD(USG/USG FLEX/ATP) customer base using ZLD for many years they adapt to the design of ZLD, thus we determined not changing the ZLD design however keep it's flexibility.
Though the design might cause unwanted exposure, HQ will communicate with our customer base applying strict countermeasures to keep their network safe.
On the other hand the uOS(USG FLEX H) is new to the market and there is no burden.
From day one we determined to take proactive design to enhance security in the 2FA case.
In summary, we have no intention to make changes to the legacy ZLD, nor to modify the design of the new uOS.
We do commit to providing a secure and consistent experience, while educating and communicating to our legacy product customer base.
Kay
See how you've made an impact in Zyxel Community this year!
0 -
OK Kay
so one 2FA via Goole Authenticator dose not work on FLEX200H for VPN even if I set to a LAN interface go to HTTP://192.168.255.235:8008 I get no page even with a firewall rule allow from any to Zywall for port 8008 only when I disable the firewall do I see the Authorize page and even then when tested with SSL VPN and enter the code from Goole Authenticator for the test user setup it still don't work.
And two what would be the point of Authorize page only be accessed LAN side only? isn't the point of a VPN that you connect externally? and then do 2FA to the firewall WAN side? as is you can use User defined to get around this by FQDN but like I said above it don't work. plus you can harden the Authorize page (when you get it working) by source FQDN so that a client with DDNS can have the firewall known the source IP from FQDN to the Authorize page for better security.
0 -
Guys, as you are experts on this, I really appreciate your comments.
But, it's working now on my FLEX200H. I can reach authorization page from outside on the http://my_public_ip:8008 and can be authorised myself with the code from Google Authenticator. Also I can reach auth page on the LAN IP.
1 -
0
-
Hi @PeterUK
Regarding your queries:
- Accessing the 2FA Authorization Page:As mentioned earlier, USG FLEX H (uOS firewall) models are designed to enhance security by not supporting WAN IP or FQDN-based access to the VPN 2FA link. This proactive approach minimizes potential WAN attack surfaces.
- Accessing the 2FA Page via LAN IP Using FQDN:If you wish to access the 2FA link using an FQDN instead of the LAN IP, you can achieve this by creating an address record that maps the FQDN to the internal LAN IP. Here's how:
- Step 1: Add an address record in your DNS server to map the FQDN (e.g.,
zzz.com) to the LAN IP address (e.g.,192.168.168.1or192.168.169.1).
- Step 2: Update the 2FA link to reference the FQDN.
- Step 3 (Optional): If you're using SecuExtender, ensure the automation page link is modified to align with the updated 2FA link.
- Step 4 (Optional): With SecuExtender, the 2FA authentication page will automatically open in your browser once the VPN connection is established.
- Step 1: Add an address record in your DNS server to map the FQDN (e.g.,
Kay
See how you've made an impact in Zyxel Community this year!
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 273 USG FLEX H Series
- 274 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 392 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight
