Home » Categories » Kerio Control » VPN
Icon Printer Icon Email      Icon Twitter Icon Digg Icon Stumbleupon Icon de.icio.us Icon FaceBook

Configuring Kerio VPN tunnel

Kerio VPN overview

Kerio Control supports VPN (Virtual Private Network). Kerio Control includes a proprietary implementation called Kerio VPN. You can use Kerio VPN as:

  • Kerio VPN tunnel to connect LANs

  • Kerio VPN server to connect clients (for example, desktops, notebooks, mobile devices, and so on)

Configuring the Kerio VPN tunnel

  1. In the administration interface, go to Interfaces.

  2. Click Add → VPN Tunnel.

  3. Type a name for the new tunnel.

    Each VPN tunnel must have a unique name. This name is used in the table of interfaces, in traffic rules and interface statistics.

  4. Set the tunnel as:

    • Active to connect to a remote endpoint. Type the hostname of the remote VPN server. Specify also the port number if it differs from 4090 (for example, server.company.com:4100).

    • Passive if the local end of the tunnel has a fixed IP address and accept only incoming connections.

  5. As Type, select Kerio VPN.

  6. On the Authentication tab, specify the fingerprint for the local and remote VPN server certificates.

    If the local endpoint is in the active mode, the certificate of the remote endpoint and its fingerprint can be downloaded by clicking Detect remote certificate.

    In the configuration at the remote server, specify the fingerprint of this local server.

  7. Save your settings.

All local networks at each location must have unique IP subnets. Before connecting two sites using VPN Tunnel, make sure that their local network ranges are not the same, otherwise the routing does not work.

Configuring routing

By default, routes to all local subnets at the VPN server are defined. You can also specified other routes:

  1. In the administration interface, go to Interfaces.

  2. Double-click a VPN tunnel.

  3. On the Remote Networks tab, select Use custom routes.

    If Use routes provided automatically by the remote endpoint is also selected, custom routes are used instead in case of a collision.

  4. Click Add.

  5. In the Add Route dialog box, define a network, mask and description.

  6. Save your settings.

Configuring VPN failover

If Kerio Control uses load balancing between multiple Internet links, it is possible to use VPN failover.

VPN failover ensures that a VPN tunnel is re-established automatically in case the primary link used for VPN tunnelling becomes unavailable.

To configure failover, input all remote endpoints (by hostname or IP address), separated by semicolons, into the VPN tunnel properties (see the image below).

When attempting to establish the tunnel, Kerio Control will cycle through the list of the endpoints in the same order that they are listed in the VPN Tunnel Properties.


Examples of Kerio VPN tunnel configuration

Example 1 - Company with one branch office

This example describes how to connect two company local networks using the Kerio VPN tunnel.

In this example:

  • The headquarters office (the default gateway) uses the public IP address with newyork.company.com as the DNS name

    The branch office server uses a dynamic IP address assigned by DHCP

  • The headquarters has two subnets, LAN1 and LAN2 with company.com as the DNS name

    The branch office network has a single subnet, LAN, and uses branch.company.com as the DNS name

The traffic between both networks and VPN clients follows these rules:

  • VPN clients can connect to LAN1 and the branch office network (LAN)

  • Users cannot connect to VPN clients from any network

  • From the branch office, users can connect only to the LAN1 network, and only the WWW, FTP, and Microsoft SQL services are available

  • There are no restrictions for connections from the headquarters office to the branch office


You must configure the following settings:

  1. In the headquarters Kerio Control administration, define the VPN tunnel.

    The active endpoint is at the branch office (dynamic IP address).

    The passive endpoint is at the headquarters server (public IP address).

  2. Verify the tunnel is created.

    If not, refer to the Error log, check the certificate fingerprints, and the availability of the remote server.

  3. In traffic rules, allow traffic between the local network, remote network, and VPN clients.

  4. Set traffic restrictions at the headquarter's server.

    On the branch office server, only traffic between the local network and the VPN tunnel is enabled.

  5. Test the connection from each local network. Test availability both through the IP addresses and DNS names.

    Use the ping and tracert (traceroute) system commands.

    If the test through IP address does not respond, check the traffic rule configuration and verify that the subnets do not collide.

    If IP address test is OK and the DNS test fails (Unknown host), check the DNS configuration.

Attachments (1) Attachments

comments powered by Disqus