GFI Support Home Start a conversation Sign in
Start a conversation
  1. KerioControl
  2. KerioControl - Traffic Rules
  3. Articles

Route specific traffic through a chosen Kerio VPN tunnel without NAT

Overview

This article explains how to use two Kerio VPN tunnels between the same two Kerio Control firewalls and route specific traffic through a chosen tunnel without using NAT. It clarifies what is supported:

  • Supported: Routing different destination subnets over different VPN tunnels using routing (custom routes) and standard allow rules without NAT.
  • Not supported: Load-sharing the same destination subnet across two concurrent Kerio VPN tunnels, or selecting a VPN tunnel in a traffic rule via “policy routing” without NAT. Kerio Control’s policy routing is documented for Internet access with NAT.

Symptoms/Use case:

  • You have multiple WAN links on each site and want to use both links concurrently.
  • You want to send certain remote networks over Tunnel A and others over Tunnel B, without NAT.
  • You need deterministic routing across site-to-site Kerio VPN tunnels.

Helpful references:

Process

Step 1: Plan your addressing and routing strategy

  1. Ensure all local and remote networks use unique, non-overlapping IP subnets. Overlapping subnets will break routing and cause tunnel conflicts. For background, see Resolving overlapping subnets.
  2. Decide how to split traffic. The supported method is by destination subnet:
    • Example: Send 10.10.10.0/24 and 10.10.20.0/24 over Tunnel A; send 10.10.30.0/24 over Tunnel B.
  3. Note on “policy routing”: In Kerio Control, “policy routing” is documented for Internet access with NAT (choosing an outgoing interface for NATed traffic). It is not a documented method to select a Kerio VPN tunnel without NAT. See policy routing.

Step 2: Create two Kerio VPN tunnels using different WAN links

  1. On each Kerio Control, create two separate Kerio VPN tunnels so each tunnel uses a different Internet connection/WAN on each side.
  2. Give each tunnel a unique, descriptive name (for example, “SiteA-SiteB-WAN1” and “SiteA-SiteB-WAN2”).
  3. For details on creating Kerio VPN tunnels and multi-site setups, see Configuring Kerio VPN Tunnel.
  4. Optional failover note: Kerio VPN supports failover by listing multiple remote endpoints separated by semicolons. This is for automatic switching if one endpoint fails; it does not load-balance. See the same guide above.

Step 3: Assign remote networks to each tunnel using custom routes

  1. For each tunnel, open its settings and go to the Remote Networks (routing) options.
  2. Choose “Use custom routes” (wording may vary) and add only the remote subnets that should traverse that specific tunnel.
  3. Repeat for the second tunnel, adding the other set of remote subnets.
  4. Important: Do not advertise the same remote subnet in both tunnels. Kerio VPN does not implement optimal path routing and may pick routes based on tunnel bring-up order.
  5. Refer to the “Remote Networks / Use custom routes” section in Configuring Kerio VPN Tunnel.

Step 4: Create allow traffic rules without NAT

  1. Go to Configuration > Traffic Rules.
  2. Create or confirm allow rules for inter-site traffic:
    • Source: your local networks
    • Destination: the remote networks you added to each tunnel
    • Action: Allow
  3. Ensure NAT is disabled for these rules. Site-to-site Kerio VPN does not require NAT. For NAT settings reference, see Configuring NAT.

Step 5: Verify routing and tunnel usage

  1. From clients, test connectivity (ping/traceroute) to each remote subnet you assigned to each tunnel to confirm the path.
  2. Monitor Logs > Traffic and VPN logs to verify flows and tunnel status.
  3. Check the routing table to confirm routes are present for the remote subnets and bound to the intended tunnel. See Configuring a routing table in Kerio Control.

Step 6: Understand what is not supported

  1. Kerio VPN does not provide “optimal path routing,” per-service steering, or load-sharing for the same destination subnet across multiple concurrent Kerio VPN tunnels.
  2. “Policy routing” in traffic rules is intended for Internet access with NAT; it is not a supported mechanism to select a Kerio VPN tunnel without NAT. See policy routing.

Summary

To route traffic through a specific Kerio VPN tunnel without NAT, create two Kerio VPN tunnels (each on a different WAN), and use custom routes on each tunnel to advertise different remote subnets. Allow the inter-site traffic in traffic rules with NAT disabled. This approach provides deterministic, destination-based split routing. Kerio VPN does not support load-balancing the same subnet across two tunnels or selecting a VPN tunnel via policy routing without NAT.

FAQ

Q1: Can I split traffic for the same remote subnet across two Kerio VPN tunnels to load-balance?
A1: No. Kerio VPN does not support optimal path routing or load-sharing for the same destination subnet across multiple concurrent tunnels.

Q2: Can I choose a specific Kerio VPN tunnel in a traffic rule using policy routing without NAT?
A2: No. Policy routing in Kerio Control is documented for Internet access with NAT. To control which tunnel is used, assign different destination subnets to each tunnel via custom routes.

Q3: Do I need NAT for site-to-site Kerio VPN between two Kerio Controls?
A3: No. Site-to-site Kerio VPN uses routed (non-NATed) traffic. Ensure NAT is disabled on inter-site allow rules and that subnets do not overlap.

Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Ciprian Nastase

  2. Posted

Comments