valerio_vanni  Ally Member

You should clean browser cache.

Go to configuration →Object → Auth method → Two-Factor Authentication - VPN Access Two-factor Authentication for Services: SSL - IPSec - L2TP Make sure that the entries you use are selected here. Just below, you find users/groups, and below "Deliver Authorize Link Method"

Basically, any IPSec connection can circumvent 2FA then? It shouldn't. IPSec GW on FW is set for 2FA OK IPSec user on FW is set for 2FA OK Leave alone, for the moment, wizards. Is 2FA enabled also in 2FA main page for "ipsec vpn"? If this is true, no client configuration should be able to skip 2FA. Tunnel should not let…

I never used wizards, always set up vpn by hand, so I cannot read that small text. But the way you are saying, it's false. Every client support 2FA, it's set server side. Those client don't support automatic 2FA popup. It's not the same. When 2FA is set server side, no configuration can go around it. Tunnel goes up, but…

Try to ask Zyxel support for get 2FA working. But when it will work, you still won't get the popup. Latest versions are not EOL, but they're more expensive than some year ago. Once license was perpetual, now it's by subscription.

That is exactly what I use, IPSec VPN. This is VPN type, but if your clients (Android, iOS, Windows) don't support 2FA popup, that popup will not appear. I talked about Zyxel IPsec VPN client, a client from Zyxel: it supports automatic popup. When I use, on Windows, Shrew Soft client, I open the tunnel and then in a…

Automatic popup is possible only with ipsec vpn client from Zyxel. But, with missing popup, the vpn should not work. Connected but without traffic flowing. If in your case you say traffic flows, so 2FA is not active. Is the setting active in all places? -On user -On 2FA main page, for the type of VPN -On specific tunnel…

Automatic logging in… ok, but then traffic is flowing or not?

With IKEv2 it should work. You have to set http://LanIP:PORT in phase2 settings (script "When this tunnel is opened").

What type of vpn? SSL, L2TP, Ipsec Only the latest can have automatic popup

USG 310 has static address, public (without NAT)? USG20W is under CGNAT? This way it should work.

2: is not true at all, you can have private classes on WAN interfaces 1: by default LAN to WAN is set to NAT, but you could also disable it So you have some network that you reach by WAN1 and WAN2 and others by LAN? Or in WAN1 and WAN2 interfaces there is no connection?

You can create, on desktop, a link to http(s)://LANIP:PORT

Why do you use these two routers on LAN side, instead of WAN1 and WAN2?

Now I'm not going to buy anything, but thank you for this.