Zyxel_USG_User  Freshman Member

Weekends = Saturdays and Sundays. Valid and good point - is the firewall data going through to SecuReporter, and/or portal login is possible. The firewall data is constantly sent to SecuReporter and aggregated, that has not been a problem yet. Hypothesis- the problem may be the login portal, which cannot deal with an…

Yes, everything enabled. I will end up buying another device in the end. Every device is as good as its service is.

What I am writing is- remove the tick box as it is misleading. Ticked or not, the firewall will still ask every 2 months for a password change. This is absolutely OK with most admins, but not the availability of a tick box which does not have any effect in the end. And yes, after changing the passwords for all users the…

Hi, thanks for the reply. I will try it as soon as I get a MacOS device to test. Thank you.

Can you give a printscreen with what you mean with this? Is 2FA enabled also in 2FA main page for "ipsec vpn"?

2FA enforcement requires proper integration at the user, gateway, and connection profile IPSec GW on FW is set for 2FA IPSec user on FW is set for 2FA Connection profile based on the internal wizard states that it does not support 2FA, the clients created throught the wizard for different OS work fine without 2FA. IPSec…

The wizard creates an IKE V2 IPSec VPN. The 2FA comes to action in IKE_AUTH Phase1 Step2: first username + pwd /credentials, then OTP via Google Auth The server=firewall is set to use 2FA The IPSec user is set to use 2FA, on the server=firewall. The wizard creates a configuration which uses the IPSec user without the 2FA,…

There are several misunderstandings, I think :) from your answer. I set 2FA for VPNUser1, and for ALL IPSec connections on the firewall itself. These settings are on the firewall, that means they are on the server side as you write as well. And no configurations should go around these settings, I agree. The IPSec client…

Mistery solved, when using the wizard- at the end it states in small text that the non-secuExtender clients do not support 2FA, split tunnel, and max. bandwidth. Nevertheless- when 2FA is activated on the firewall for the VPN's, that does not make sense that some configurations can go around that.

the zyxel's own IPSec client which you mentioned is EOL per end of 2024 as I see.

Yes, 2FA active in all places where ever VPN is mentioned, or the VPNuser names or groups.

I just re-checked and tested. On the firewall, I activated 2FA for VPNuser1. On the VPN Gateway, the 2FA is activated. That means that from now on, any VPN tunnel should ask for 2FA for the user profiles used. Going on my smartphone, I can reconnect using the existing IPSec configuration which was created with the user…

That is exactly what I use, IPSec VPN. I created 2 different users only for this purpose of testing this case. 2. no split tunneling needed. 3. I use the zyxel wizard to create the configurations for Android, IOS, Windows. 4. I test the clients and connections, everything works fine on each platform. 5. I activate the 2FA…

'Automatic' was eventually not the proper term, I deleted it from the previous comment. Everything works fine, obviously- both cases. Ticking the 2FA box for dedicated VPN profile users or leaving it unmarked does not make a difference. I don't know whether this behaviour is wanted or not or it is called 'automatic login'…

There is another topic with the similar complaint, on another device- therefore it may be a more general problem on at least two model series. Here you go: USG20W-VPN, latest firmware release.