How to Configure 2FA Using Google Authenticator for Remote Access IKEv2 VPN & SSL VPN on Zyxel H-Series

This article provides a clear, step-by-step guide on configuring an IKEv2 Remote Access VPN with two-factor authentication on Zyxel H-Series devices. You will learn how to set up secure user authentication, integrate Google Authenticator for 2FA, and configure the necessary VPN, IP, and tunnel settings to ensure reliable and protected remote access for your network.

🔹 Note: On Zyxel H-Series devices running uOS, the 2FA authorization process is performed after the VPN tunnel is established. The authentication page is accessed through the VPN tunnel, not directly from the WAN interface.

Google Authenticator is considered one of the most reliable methods for 2FA because it:

• Produces a unique verification code every 30 seconds, minimizing the risk of reuse or compromise.
• Works without internet connectivity, ensuring access in offline environments.
• Is free, lightweight, and easy to deploy across multiple platforms.

By following this guide, administrators will learn how to:

• Enable and configure 2FA on Zyxel H Series gateways.
• Pair VPN user accounts with Google Authenticator.
• Implement secure login for Remote Access VPN (IKEv2) and SSL VPN connections.

The combination of VPN encryption and TOTP-based 2FA provides an enhanced layer of security, ensuring that only authenticated users can establish remote connections to the corporate network.

Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet. 

• SecuExtender VPN Client: Version 7.7.50.008 or higher.
• Local User Account: 2FA is currently supported only for local users.

Enable Google Authenticator for a User

1. Go to User & Authentication > User/Group.

2. Select the required local user account.

3. Enable Two-Factor Authentication (2FA) and choose Google Authenticator.

Set Up Google Authenticator

1. Download and install Google Authenticator on your mobile device.

2. Open the Google Authenticator app and scan the QR code displayed in the Web GUI.

1. Enter the verification code generated by the app into Step 3 of the Web GUI.

2. Click Verify Code and Finish.

Configure Valid Time and VPN Service Types

1. Enable Two-Factor Authentication (2FA) for VPN access.

2. Configure the Valid Time, which defines the time limit for entering the 2FA code (default: 3 minutes).

3. Select the VPN service types that require 2FA, such as Remote Access VPN or SSL VPN.

4. After the VPN tunnel is established, users must enter the token code through the Web GUI to complete authentication.

Remote Access VPN (IKEv2)

1. Open the Remote Access VPN (IKEv2) tunnel using the SecuExtender VPN Client.

2. When prompted, enter the verification code generated by Google Authenticator or use a backup code.

3. Log in using your username, password, and token code to complete authentication.

SSL VPN

1. Open the SSL VPN tunnel using the SecuExtender VPN Client.

2. When prompted, enter the verification code generated by Google Authenticator or use a backup code.

3. Log in using your username, password, and token code to complete authentication.