Zyxel_USG_User  Freshman Member

Can you give a printscreen with what you mean with this? Is 2FA enabled also in 2FA main page for "ipsec vpn"?

2FA enforcement requires proper integration at the user, gateway, and connection profile IPSec GW on FW is set for 2FA IPSec user on FW is set for 2FA Connection profile based on the internal wizard states that it does not support 2FA, the clients created throught the wizard for different OS work fine without 2FA. IPSec…

The wizard creates an IKE V2 IPSec VPN. The 2FA comes to action in IKE_AUTH Phase1 Step2: first username + pwd /credentials, then OTP via Google Auth The server=firewall is set to use 2FA The IPSec user is set to use 2FA, on the server=firewall. The wizard creates a configuration which uses the IPSec user without the 2FA,…

There are several misunderstandings, I think :) from your answer. I set 2FA for VPNUser1, and for ALL IPSec connections on the firewall itself. These settings are on the firewall, that means they are on the server side as you write as well. And no configurations should go around these settings, I agree. The IPSec client…

Mistery solved, when using the wizard- at the end it states in small text that the non-secuExtender clients do not support 2FA, split tunnel, and max. bandwidth. Nevertheless- when 2FA is activated on the firewall for the VPN's, that does not make sense that some configurations can go around that.

the zyxel's own IPSec client which you mentioned is EOL per end of 2024 as I see.

Yes, 2FA active in all places where ever VPN is mentioned, or the VPNuser names or groups.

I just re-checked and tested. On the firewall, I activated 2FA for VPNuser1. On the VPN Gateway, the 2FA is activated. That means that from now on, any VPN tunnel should ask for 2FA for the user profiles used. Going on my smartphone, I can reconnect using the existing IPSec configuration which was created with the user…

That is exactly what I use, IPSec VPN. I created 2 different users only for this purpose of testing this case. 2. no split tunneling needed. 3. I use the zyxel wizard to create the configurations for Android, IOS, Windows. 4. I test the clients and connections, everything works fine on each platform. 5. I activate the 2FA…

'Automatic' was eventually not the proper term, I deleted it from the previous comment. Everything works fine, obviously- both cases. Ticking the 2FA box for dedicated VPN profile users or leaving it unmarked does not make a difference. I don't know whether this behaviour is wanted or not or it is called 'automatic login'…

There is another topic with the similar complaint, on another device- therefore it may be a more general problem on at least two model series. Here you go: USG20W-VPN, latest firmware release.

The configuration of the IPSec VPN was done as following on a USG20W-VPN, under several firmware versions- the results are consistently the same: using the wizard in Express Mode, then downloading the .sswan file for Android, the ios client fiel for Apple, and the Windows client file. The VPN users are separately created,…

Hi, USG20W-VPN.

Time travellers? CVE-2024-11667: Key Details and Mitigation Published: November, 2025

That explained how the firewall works and which rules are used when, all good.