valerio_vanni  Ally Member

I did some test and it doesn't seem to work. Forticlient interface has all fields with coherent values, but client side it says "no response from the peer" and server side 5 IKE messages are recorded (only "INFO" ones, no warning nor error) 2025-01-21 16:21:30 info IKE Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key…

You can find Phase 1 & 2 parameters under settings → VPN → IPsec VPN.

How did you get that screenshot?

The same issue is present on previous (non H) versions, it works only for physical disconnection of ethernet port. If port goes down, email is sent If port goes up, email is sent If port stays up but connectivity fails, email is sent If connectivity comes back, nothing is sent.

You should clean browser cache.

Go to configuration →Object → Auth method → Two-Factor Authentication - VPN Access Two-factor Authentication for Services: SSL - IPSec - L2TP Make sure that the entries you use are selected here. Just below, you find users/groups, and below "Deliver Authorize Link Method"

Basically, any IPSec connection can circumvent 2FA then? It shouldn't. IPSec GW on FW is set for 2FA OK IPSec user on FW is set for 2FA OK Leave alone, for the moment, wizards. Is 2FA enabled also in 2FA main page for "ipsec vpn"? If this is true, no client configuration should be able to skip 2FA. Tunnel should not let…

I never used wizards, always set up vpn by hand, so I cannot read that small text. But the way you are saying, it's false. Every client support 2FA, it's set server side. Those client don't support automatic 2FA popup. It's not the same. When 2FA is set server side, no configuration can go around it. Tunnel goes up, but…

Try to ask Zyxel support for get 2FA working. But when it will work, you still won't get the popup. Latest versions are not EOL, but they're more expensive than some year ago. Once license was perpetual, now it's by subscription.

That is exactly what I use, IPSec VPN. This is VPN type, but if your clients (Android, iOS, Windows) don't support 2FA popup, that popup will not appear. I talked about Zyxel IPsec VPN client, a client from Zyxel: it supports automatic popup. When I use, on Windows, Shrew Soft client, I open the tunnel and then in a…

Automatic popup is possible only with ipsec vpn client from Zyxel. But, with missing popup, the vpn should not work. Connected but without traffic flowing. If in your case you say traffic flows, so 2FA is not active. Is the setting active in all places? -On user -On 2FA main page, for the type of VPN -On specific tunnel…

Automatic logging in… ok, but then traffic is flowing or not?

With IKEv2 it should work. You have to set http://LanIP:PORT in phase2 settings (script "When this tunnel is opened").

What type of vpn? SSL, L2TP, Ipsec Only the latest can have automatic popup

USG 310 has static address, public (without NAT)? USG20W is under CGNAT? This way it should work.