2FA-Token (OTP) for IPSec-RemoteAccess without SophosConnect Client

I would highly recommend to overthink this principle of giving somebody VPN access, which is not part of your company. One of many security issues to begin with.

But in theory, this works. You can use other IPsec /SSLVPN clients with the firewall, as the protocols are standard. 

I know - but for the moment it is mandatory. We have many other security things active to secure these access (manual enabling of vpn from an administrator, policys rules only for specific destination clients, internal firewalls, internal authentication and so one).

OTP with other vpn clients works? You tested it? For me 2FA only works with Sophos Connect Client.

You need to add the password + OTP in the password set. 

So username // password123456 (OTP=123456). This should work with every VPN vendor. Because OpenVPN, Ipsec works the same way in this regards. 

Thanks!

I can´t connect to RemoteAccess via NCP Secure Entry Client -> "Authentication_Failed".

When i look into XG-logs i see the following fault: Received IKE message with invalid SPI (95AB8F6F) from the remote gateway.

I rechecked DH-group, ike-lifetime, ipsec-lifetime and psk. X-AUTH user credentials with OTP is also correct (the NCP get the correct IP-adress for the xg-user in log).

Maybe i need to set an local-id in ncp?

I cannot comment on NCP. You can check the access_server.log for more information about the authentication.