ZyXEL Communications ZyWALL USG Series Application Note page 148

Access a server or other network resource behind the ZyWALL to make sure your access works.
19
3.6.6 What Can Go Wrong
The IPSec VPN connection must:
• Be enabled
• Use transport mode
• Not be a manual key VPN connection
• Use Pre-Shared Key authentication
• Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN
clients to connect from more than one IP address.
Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The remote users
must make any needed matching configuration changes and re-establish the sessions using the new
settings.
3.7 One-Time Password Version 2 (OTPv2)
T wo-factor authentication requires a user to provide two kinds of identification. Purchase the ZyWALL
OTPv2 One-Time Password System for strong two-factor authentication for Web Configurator , Web
access, SSL VPN, and ZyXEL IPSec VPN client user logins. For each login a user must use his ZyWALL
OTPv2 token to generate a new OTP password and use it along with his normal account user name and
password (the second kind of identification). An attacker cannot re- use an OTP password that was
already used for login because it is no longer valid. The system contains SafeWord 2008
authentication server software, hardware OTPv2 tokens, and software OTPv2 tokens for Windows
computers and Android and iOS mobile devices.
Figure 35
OTPv2 Example
SafeWord 2008
Authentication Server
*****
OTP PIN