How to configure Sophos IPsec client with 2FA (using Google Authenticator)?

That's indeed possible. You can set it up at Definitions & Users -> Authentication services -> One-time passwords.

Tick the checkbox for IPSec Remote access and define users that need to use 2FA

That's indeed possible. You can set it up at Definitions & Users -> Authentication services -> One-time passwords.

Tick the checkbox for IPSec Remote access and define users that need to use 2FA

Thank you!

How about documentation on How to Setup the IPsec Client? 

Thanks again!

Disregard, I found the documentation on the Download page.

Thank you again!

I take it back.

The instructions from the Download page were for a very specific connection.

I'm looking for instructions on how to integrate the Google Authenticator.

Thank you!

Is your problem in setting up the IPSec remote access connection or the 2FA (or both)?

In some cases, Sophos refers to 2FA as OTP (one-time passwords).  Do a google search for "Sophos OTP"

I believe this is a great article on their support site about what you're looking for:

https://community.sophos.com/kb/en-us/120324

Cheers

The documentation on How to Configure the IPsec Client for OTP/2FA is what I'm searching for.  All I've found is, "Yes it can be done".

Maybe I'm misunderstanding.  But the link I sent you shows you how to set up one time passwords.  While setting up one time passwords, you MUST check off which service (facility) you want to use with the one time password with.  One of the services is "IPsec Remote Access".  With that checked, you don't need to do anything else.  When this is configured, that user then connects using the ipsec client.  For their password, they enter whatever password is assigned to them (local, AD, etc) followed by the 6 digits from google authenticator.  That's it.  It's not complicated at all.

The key for you is to ensure when you are setting up OTP (as outlined in the linked document I posted), you put a checkmark saying you want this to be used with "IP Remote Access".  That is all you have to do.

Unless I am misunderstanding what you are trying to do......

Thank you for your assistance.

I feel like I may not be giving you all the details:

1.) UTM was initially setup with OTP using the Sophos SSL VPN Client (also with active directory authentication).  SSL VPN remote access with OTP is active and operational.

2.) Next, the Sophos IPsec Client was setup without OTP.  Profile and certificate were downloaded from the UTM.  After entering the PIN, the IPsec Client is fully operational.

3.) Now, OTP is implemented per the instructions you provided, BUT OTP is not working. After the PIN is entered, the connection is established.  I do not get prompted for the Google Autehnticator passcode.

Should I remove the IPsec client and start from scratch?

Thanks again!

Did you put a checkmark to enable OTP on IPSec remote access as was explained in earlier posts:

While setting up one time passwords, you MUST check off which service (facility) you want to use with the one time password with.  One of the services is "IPsec Remote Access".

 

If this has been checked, you shouldn't get access without the 6 digit-code added to the usual password.

Hi,

you are right.

But please regard that Google Authenticator is not following RFCs. So if you encounter problems, please re-try SOPHOS Authenticator to ensure that problem is not caused by Google Authenticator.

Greetings

Holger