Overview
This article provides information on how to setup Kerio Control IPsec VPN configuration on iOS and Android mobile devices. The configuration includes modifying the native OS settings, as there is no separate iOS/Android VPN application.
Important: if you're using 2-step verification (2FA), you need to manually open http://<IP_address or hostname of Firewall>:4080//nonauth/totpVerify.cs in a web browser and proceed with 2FA configuration (use Manual Entry in authenticator app).
Prerequisites
- mobile devices should be joined to the local network (Wifi) or Kerio Control should have a valid Public IP address with specific Traffic Rules configured.
- default allow VPN Services traffic rule is enabled
- VPN settings in Kerio Control Webadmin:
- open Configuration -> Interfaces -> double-click VPN server
-
Enable Use certificate for clients, Use preshared key and Enable MS-CHAP v2 authentication. Click OK -> Apply. For more information, please refer to Configuring IPsec VPN Server.
- IPSec VPN configuration in older Kerio Control versions
- IPSec VPN configuration in Kerio Control 9.4.4 and newer
- IPSec VPN configuration in older Kerio Control versions
- Open Configuration -> Users
- Click Add -> Fill out the necessary information. Make sure to enable ‘This user has a separate configuration’
- Open Rights tab -> enable ‘User can connect using VPN’ -> click OK. For more information please refer to Managing user accounts in Kerio Control.
Starting with Kerio Control 9.4.4, IKEv2 is available for client-to-site VPN connections. If you want to use IKEv2 in your clients, there's an additional prerequisite, which is Exporting and Importing Kerio Control Local Authority as a Root Certificate into each client that wants to use IKEv2.
- The CA certificate needs to be installed in each client device. Consult the documentation of your device manufacturer to see how CA certificates can be installed.
Solution
iOS settings (L2TP with Pre-shared key) - all Kerio Control versions
- Open Settings.
- Scroll down and click General. Then scroll down and click VPN.
- Tap Add VPN configuration.
- Change Type to L2TP.
- Fill in all required information including Username/Password and Secret (Preshared Key).
- By default, VPN will not be connected automatically. Tap Status switch to establish a VPN connection. The status will change from Connecting to Connected.
iOS settings (IKEv2 with certificate) - Kerio Control 9.4.4 and later
- Description: <choose any>
- Server: Kerio Control domain/IP address
- Remote ID: Kerio Control domain/IP address
- Local ID: blank
- User Authentication: Set to “username”
- Username: Kerio Control user having permission to use VPN connections
- Password: Kerio Control user's password
Android settings (using a certificate)
Note: IKEv2 VPN Client Connections are not supported in Kerio Control versions older than 9.4.4. So Android 12+ Devices using IKEv2 will not be able to connect and there is no workaround available for such devices. Only older Android versions supporting L2TP/IPSec PSK will be able to connect using the native IPSec VPN client.
Starting with Kerio Control 9.4.4, IKEv2 VPN Client Connections are supported, so Android 13 and newer devices are now able to connect to the Kerio Control VPN server. Below you can find the Android client side configuration template, along with a screenshot of how it would look like in an Android device:
- Name: <choose any>
- Type: IKEv2/IPSEC MSCHAPv2
- Server address: Domain name of the KerioControl certificate
- IPSec identifier: Kerio Control user having permission to use VPN connections
- IPSec CA certificate: In case of self-signed certificates issued by KerioControl, it should be set to the imported 'Local Authority' Kerio Control's certificate
- IPSec server certificate: received from the server
- Username: KerioControl user having permission to use VPN connections
-
Password: KerioControl user's password
Note: If you’re using a LetsEncrypt-issued certificate and face any issues, please add the certificate https://letsencrypt.org/certs/lets-encrypt-r3.pem into trusted CA roots on the Android device.
More information can also be found in the IKEv2 Client-to-Site Connection Configuration guide.
NOTE: in case DNS queries do not work from the Android 12+ device, tap on Show Advanced Options and manually input the IP address of the Kerio VPN server OR the IP address of the DNS server that is configured in your VPN server interface.
Verification
Open Kerio Control Webadmin -> Status -> VPN clients to double-check the status of the mobile device. The status should be shown as Connected. For more information, please refer to Monitoring VPN Clients.