Overview

When IKE rekeying is being done between Kerio Control (initiator) and an external firewall (responder), the VPN tunnel connection goes down for some time after every few hours. This causes the users connected to the VPN to disconnect and hence, requires them to reauthenticate.

 

Solution

Below are the steps to resolve this issue with the VPN IPSec tunnel:

1. SSH into Kerio Control.
2. Enter the below the command with the appropriate name of your tunnel:

   /opt/kerio/winroute/tinydbclient "update VpnTunnels_v2 set CustomOptions={'rekey=\"no\"','reauth=\"no\"','ikelifetime=\"3\"','lifetime=\"1\"'} where name='tunnel-name'"

This command will disable reauthentication, disable rekey, and increase lifetime values for the tunnel. These can be edited as per your environment. Make sure to match these on the external firewall device also.

IMPORTANT: if the tunnel-name contains any of the following characters, they should be escaped in the command: Period (.), Asterisk (*), Plus (+), Question Mark (?), Caret (^), Dollar Sign ($), Parentheses (( and )), Brackets ([ and ]), Braces ({ and }), Pipe (|), Backslash (\), Slash (/), Quote ('), Double Quotes (").

For example: a tunnel named "VPN (external)", should be rewritten as "VPN \(external\)" when the command is run

1. Reboot Kerio Control using the reboot command.

These changes will be applicable even after any reboots of the Kerio Control device.

 

Testing

The IPSec VPN tunnel stays connected for users and no disconnection issues are seen.

In case the issue persists, open a support ticket with us with the below information:

• Provide the Support information file from the Kerio Control web interface from Status > System Health > Support information.
• Debug logs with the IPSec options Charon output, General, L2TPD output, and PPPD output enabled.
• Error, Warning, and Security logs.
• Any information and logs from the external firewall.

 

Related Articles

• Adjusting values for IPSec VPN