1-888-77-Kerio
Home » Categories » Kerio Control » VPN
Icon Printer Icon Email      Icon Twitter Icon Digg Icon Stumbleupon Icon de.icio.us Icon FaceBook

Configuring Kerio VPN Client

Kerio VPN Client overview

Kerio VPN Client is an application which enables connection from individual hosts (clients) to a remote private network via the Internet using an encrypted channel. These clients can access the private networks as if they were connected to them physically.

Kerio VPN Client exists in three variants:

  • Kerio VPN Client for Windows

  • Kerio VPN Client for Mac

  • Kerio VPN Client for Linux (read more in the readme file)

Kerio VPN Client is connected to the VPN server in Kerio Control. Kerio Control user accounts are used for authentication of clients.

Configuration is saved in the home folder of the user currently using the Kerio VPN Client. Each user of a host where Kerio VPN Client is installed can use a personal VPN connection.

Users with administrator rights can also established so called persistent connections. Such connections are also automatically recovered upon each workstation reboot.

System requirements

For up-to-date system requirements, please refer to:

http://www.kerio.com/control/technical-specifications

 

Licensing Policy

The Kerio VPN Client does not require any special license.

However, connected VPN clients are included in the total count of users (computers) during license checks in Kerio Control. This implies that the minimal number of licensed Kerio Control users needed for the particular server is the sum of hosts in LAN and number of VPN clients connected to the server at a moment.

Connecting to Kerio VPN Server

  1. Firstly you have to configure Kerio VPN server in Kerio Control.

  2. Install Kerio VPN Client to users' computers.

    Kerio VPN Client is started automatically upon user logon.

    Kerio VPN Client

    Kerio VPN Client

  3. Tell your users the login details:

    • username and password for login to Kerio Control

    • Kerio Control hostname (or IP address)

  4. Check Persistent connection, if your users have administrator rights for the client host.

    In persistent mode, once a user establishes a VPN connection, this connection is kept persistently. Thanks to this feature, e.g. connection of the user to a remote private network domain is enabled.

Windows: If Kerio VPN Client is running, an icon displaying its current status is available in the notification area of the Windows taskbar (Systray).

Mac: If Kerio VPN Client is running, a status icon displayed on the right side of the main menu bar.

Multiple endpoints can be defined to configure VPN failover in case the Kerio Control VPN server is load balancing with multiple Internet links. To separate entries, use a semicolon (for example, primary.feelmorelaw.com;secondary.feelmorelaw.com)

Configuring Kerio VPN Client (for Windows only)

You can configure:

  • localization (language) of Kerio VPN Client

  • balloon messages settings

  1. In the notification area of the Windows taskbar (Systray), go to Kerio VPN Client context menu.

  2. Click Settings.

When a language is changed, the user interface is switched to the language version immediately.

Enable balloon messages enables/disables informative balloon messages at the Kerio VPN Client icon located in the system notification area. These messages are optional and depend on user preferences.

Verification of the VPN server's SSL Certificate on Windows

Whenever a connection is being established, Kerio VPN Client performs verification of the VPN server's SSL certificate. If any certificate-related problems are detected, a warning appears inquiring whether the user finds the VPN server trustworthy and whether the connection to the server should be allowed.

If Yes is clicked, Kerio VPN Client considers the VPN server as trustworthy. The certificate is saved and no warning is displayed upon subsequent connections to the server.

Common certificate-related problems and their solutions

Certificate-related problems are often caused by one of the following issues:

The certificate was issued by an untrustworthy authority

Kerio VPN Client verifies whether a certificate was issued by an authority included in the list of trustworthy certificate publishers stored in the operating system (the Certificates section of the Content tab under Control Panel / Internet Options). Since a certificate is imported, any certificates issued by the same authority will be accepted automatically (unless any problem is detected).

The name referred in the certificate does not match with the server's name

Name of the server specified in the certificate does not correspond with the server name which Kerio VPN Client is connecting to. This problem might occur when the server uses an invalid certificate or when the server name has changed. However, it may also point at an intrusion attempt (a false DNS record with an invalid IP address is used).

Note: Certificates can be issued only for servers' DNS names, not for IP addresses.

Date of the certificate is not valid

For security reasons, validity of SSL certificates is limited by time. If an invalid date is reported, it means that the certificate's validity has already expired and it is necessary to update it. Contact the VPN server's administrator.

The security certificate has changed since the last check

When a user accepts connection to a VPN server, Kerio VPN Client saves the certificate of the server as trustworthy. For any later connections, Kerio VPN Client checks certificates with the saved one. If these certificates do not correspond, it might be caused by the fact that the certificate has been changed at the server (e.g. for expiration of the original certificate). However, this might also point at an intrusion attempt (another server using a different certificate).

Verification of the VPN server's SSL Certificate on Mac

Whenever a connection is being established, Kerio VPN Client performs verification of the VPN server's SSL certificate. If any certificate-related problems are detected, a warning appears inquiring whether the user finds the VPN server trustworthy and whether the connection to the server should be allowed.

A dialog informing about detected problems with the VPN server's certificate

A dialog informing about detected problems with the VPN server's certificate

Click on the Details option to get detailed information about the VPN server's certificate (issuer, server for which it was issued, expiration date, etc.). If it is a certificate for Kerio Control, check Always trust and click Continue. The certificate will be saved in the system Keychain and from now on, no warning will be displayed.

Note: On Mac OS X 10.5 Leopardand higher, it is not allowed to set a self-signed certificate as always trusted. To break this restriction and set the certificate as always trusted anyway, it is necessary to insert the certificate in the keychain manually.

Setting a certificate as always trusted

It is not possible to set a self-signed certificate as always trusted:

  1. In the window warning you that the certificate is not trustworthy (see figure A dialog informing about detected problems with the VPN server's certificate), click on the certificate image and drag it to the desktop. This creates a file with the certificate on the desktop (e.g. server.company.com.cer).

    The Keychain Access application must NOT be running at the moment. If it is running, close it.

  2. Clicking on the certificate file on the desktop runs theKeychain Access application and displays a dialog asking for specification of the keychain to save the certificate in.

    Saving certificates in keychain

    Saving certificates in keychain

     

  3. Select the X509Anchors keychain. This keychain contains certificates that are allowed to sign other certificates (these are typically certificates of certification authorities).

    To add a certificate successfully, authentication with an administrator account is required.

  4. In the Keychain Access application, select the X509Anchors keychain, look up the new certificate (e.g.server.company.com) and click on it to open it.

  5. In the certificate window, scroll to the bottom, open the Trust Settings section and set the Always Trust option for the When using this certificate entry.

    Certificate properties — setting a certificate as trusted

    Certificate properties — setting a certificate as trusted

     

  6. Close all running applications and log out of the system.

  7. Reboot the system and try to establish a VPN connection to the particular server. From now on, no untrustworthy certificate warning should display.

Troubleshooting

The Kerio VPN Client generates logs including information about its own activity and detected errors. The system service and the application's user interface work separately. Therefore, separate logs are generated for each of these components. Log files can be used for troubleshooting while communicating with the Kerio Technologies technical support department (especially the system service logs are critical and can be extremely helpful).

The system service logs

Logs of the Kerio VPN Client Service can be found in the logs subfolder of the folder where the Kerio VPN Client is installed, the following path is used by default:

Windows: C:\Program Files\Kerio\VPN Client\logs

Mac: /usr/local/kerio/vpnclient/logs

Linux: /var/lib/kerio-control-vpn/logs

 

Two log files are available here:

  • error.log — critical errors, such as information that the Kerio VPN Client Service failed to start, that the VPN server is not available, that user authentication failed, etc.

  • debug.log — detailed information on activities of the system service and detected errors.

 

The user interface logs

Logs of the user interface on Windows are stored in the corresponding folder of the user account of the user working with Kerio VPN Client. By default, the following path is used:

Application Data\Kerio\VPNClient\logs

Logs of the user interface on Mac are stored in the corresponding hidden subfolder of the home folder of the user working with the Kerio VPN Client, namely:

~/.kerio/vpnclient/logs

 

Like in case of the system service, two log files are available:

  • error.log — critical errors, such as information that it is not possible to establish connection to Kerio VPN Client Service.

  • debug.log — detailed information on activities of the application and detected errors.

 


comments powered by Disqus