In this article, we will show how to configure the 2FA (Two Factor Authentication) with an IPSec VPN on USG FLEX / ATP / VPN Series. This article will further show how to configure the firewall (VPN Gateway, VPN connection.
Table of Content
1) Configure 2FA on the Firewall
1.1 Create a VPN Gateway profile
1.2 Create a VPN Connection profile
1.3 Create a new user for X-Auth
1.4 Add new users to Two-factor Authentication
1.5 Setup a Mail server
1.6 Create a Security Policy (Firewall rule)
1.7 Create an IKEv1 Gateway in IPSec VPN Client
1.8 Create a VPN Connection
2) Check the results
1) Configure 2FA on the Firewall
1.1 Create a VPN Gateway profile
VPN => IPSec VPN => VPN Gateway
Chose Aggressive negotiation mode
1.2 Create a VPN Connection profile
VPN => IPSec VPN => VPN Connection
1.3 Create a new user for X-Auth
Object => User/Group
1.4 Add new users to Two-factor Authentication
Object => Auth. Method => Two-factor Authentication
Tick on IPsec VPN Access, select user, and tick on the corresponding delivery method (Email from my example)
1.5 Setup a Mail server
System => Notification
1.6 Create a Security Policy (Firewall rule)
Create allowing security policy rule from wan to Zywall for 8008 port, make sure they're also allowed protocols IKE, NAT-T, and ESP in the same direction:
Security Policy => Policy Control
1.7 Create an IKEv1 Gateway in IPSec VPN Client
Enable X-auth:
Also, in the protocol section, tick on both options - Mode Config and Aggressive Mode.
Identity is optional.
1.8 Create a VPN Connection
VPN Client address must be in read mode.
The Remote LAN address adds an address set in the Local Policy on the VPN server.
2) Check the results
In the end the log should look like this: