Phone Lines icon GFI Support Home Start a conversation Sign in
Start a conversation
  1. KerioControl
  2. KerioControl - Kerio Control VPN
  3. Articles

Resolving "VPN Client: 2 step verification not performed"

Overview

While connecting IPSec or Kerio VPN client user accounts, the connection cannot be established. The login page URL is timing out in browsers if two-step verification is enforced for the users.

2step_verification.png

Debug logs with "Packets dropped for some reason" enabled may show the following errors:

  {pktdrop} packet dropped: VPN Client: 2 step verification not performed.
  (from IPsec VPN client, proto:TCP, len:64, 1.1.1.1:55941 -> x.x.x.x:443, flags:[SYN], seq:2288240514 ack:0, win:65535, tcplen:0)

  {pktdrop} packet dropped: VPN Client: 2 step verification not performed.
  (from Kerio Control VPN Client <user>, proto:UDP, len:194, 1.2.2.6:51546 -> 192.168.16.3:389, udplen:166)

Solution

VPN 2fa mechanism uses <IP_address_or_FQDN>//nonauth/totpVerify.cs URL. Based on the protocol used (HTTPS or HTTP), the login page redirects to either 4081 or 4080 port. The highlighted error is self-explanatory - the token for 2-step verification was not entered or not configured at all.

Also, the internal VPN server IP will be picked up automatically if you enter the internal (LAN) IP address, skipping the DNS configuration.

If you face any redirection issues on desktop (Kerio VPN client) or mobile devices (IPsec L2TP client), you can try to work around such problems:

  1. Disable 2fa for the necessary user(s): in Users section, right-click on user -> Disable 2-step verification.
    disable_2step_user.png
  2. Connect the VPN device (desktop VPN client or IPsec VPN).
  3. Once connected, open a browser and navigate to https://<YOUR-KERIO-LOCAL-INTERFACE-IP>:4081//login
  4. Log in using the user's credentials, then enable and configure 2-step verification. It should show on the user statistics page with "2-step verification is active for your account" info.
    2fa_active.png
  5. Open https://<YOUR-KERIO-LOCAL-INTERFACE-IP>:4081//nonauth/totpverify.cs and authenticate. "You are now connected" screen is displayed.
    now_connected.png

Important considerations

"Force hostname for VPN clients" option and custom Reverse Proxy settings may affect the 2-step verification behavior.

By default, Force hostname is disabled

force_hostname.png

Preconfigured default reverse proxy rule

reverse_proxy_settings.png

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments