No results found. You can ask us instead.
No results found. You can ask us instead.
Phone Lines icon GFI Support Home Start a conversation Sign in
No results found. You can ask us instead.
Start a conversation
  1. KerioControl
  2. KerioControl - Kerio Control VPN
  3. Articles

Establishing IPSec VPN tunnel with another firewall

Overview

You can create a secure tunnel between two LANs secured by a firewall (site to site VPN tunnel). This article describes creating an IPsec VPN tunnel between Kerio Control and another device, such as Fortinet, Cisco, Mikrotik, Sophos or Azure VPN. Both endpoints should be able to communicate automatically.

If a problem occurs and you have to set the values manually, consult the following tables for default and supported values in Kerio Control. The other devices may have specific requirements to work (for example Azure VPN), so you will need to fine-tune each of the endpoints based on the specific requirement. Remote endpoints of the tunnel can also use the recommended values.

Important: NAT over a Site-to-Site IPsec VPN connection is not supported.

Solution

  1. Modify the /etc/ipsec.conf to set the custom Phase 1 and Phase 2 values. For more information about modification, please review Modifying Internal configuration files.

Phase 1 (IKE):

Variable Default values Supported values

Unsupported values

Mode

 Main  NA Aggressive
Remote ID type hostname IP address

 NA

NAT Traversal

 enabled  NA NA 

Ciphersuite (policies)

aes128-sha1-modp2048,3des-sha1-modp1536

  NA NA 

Version

 IKEv1, IKEv2  NA NA 

DPD Timeouts

 enabled (30 sec)  NA  NA

Lifetime

 3 hours  NA  NA

 

Phase 2 (ESP):

Variable

Supported Values

 Unsupported Values

Mode

 Tunnel Transport

Protocol

 ESP AH

Ciphersuite (policies)

 aes128-sha1, 3des-sha1 NA 

PFS

 off NA 

Lifetime

 60 mins  NA


Supported ciphers

Each cipher consists of three parts:

  • Encryption Algorithm — for example, aes128
  • Integrity Algorithm — for example, sha1
  • Diffie Hellman Groups — for example, modp2048
  1. Set ciphers to custom values in the Kerio Control Administration -> Configuration -> Interfaces -> IPsec VPN tunnel properties (Change button).

vpn_tunnel_config.png

Kerio Control supports the following ciphers:

Phase 1 (IKE) - supported ciphers

Encryption Algorithms

Integrity Algorithms

 Diffie Hellman Groups
  • aes128 or aes (128 bit AES-CBC)
  • aes192 (192 bit AES-CBC)
  • aes256 (256 bit AES-CBC)
  • 3des (168 bit 3DES-EDE-CBC)
  • md5 (MD5 HMAC)
  • sha1 or sha (SHA1 HMAC)
  • sha2_256 or sha256 (SHA2_256_128 HMAC)
  • sha2_384 or sha384 (SHA2_384_192 HMAC)
  • sha2_512 or sha512 (SHA2_512_256 HMAC)
  • 2 (modp1024)
  • 5 (modp1536)
  • 14 (modp2048)
  • 15 (modp3072)
  • 16 (modp4096)
  • 18 (modp8192)
  • 22 (modp1024s160)
  • 23 (modp2048s224)
  • 24 (modp2048s256)

 

Phase 2 (ESP) - supported ciphers

Encyption Algorithms

Integrity Algorithms

 Diffie Hellman Groups
  • aes128 or aes (128 bit AES-CBC)
  • aes192 (192 bit AES-CBC)
  • aes256 (256 bit AES-CBC)
  • 3des (168 bit 3DES-EDE-CBC)
  • blowfish256 (256 bit Blowfish-CBC)
  • md5 (MD5 HMAC)
  • sha1 or sha (SHA1 HMAC)
  • aesxcbc (AES XCBC)
  • none (no PFS)
  • 2 (modp1024)
  • 5 (modp1536)
  • 14 (modp2048)
  • 15 (modp3072)
  • 16 (modp4096)
  • 18 (modp8192)
  • 22 (modp1024s160)
  • 23 (modp2048s224)
  • 24 (modp2048s256)

Testing

The custom configuration is reflected in /etc/ipsec.conf file.

ipsec_conf.png

The custom IPSec VPN tunnel ciphers are in place in /opt/kerio/winroute/winroute.cfg file.

winroute_ike_esp.png

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted 15 days ago
  3. Updated 15 days ago

Comments