Phone Lines icon GFI Support Home

Articles in this section

See more

Enabling IKEv2 Support in Kerio Control

Author: Vladyslav Velychko Updated

Overview

When trying to connect Kerio Control to other VPN gateways (Azure, Comcast, Mikrotik, etc) through a secure tunnel, the Kerio Control needs a specific configuration to be enabled. The remote VPN Gateways support IKEv2 protocol only.

This article briefs the procedure to enable IKEv2 support for Kerio Control 9.3 and later.

Solution

The different ways to enable this support are provided below:

Enable IKEv2 by Editing a Configuration File

  1. Log in to Kerio Control via SSH.
  2. Open the /var/winroute/winroute.cfg file. You can use Nano or Vim editor. The commands are:
    1. nano /var/winroute/winroute.cfg
    2. vi /var/winroute/winroute.cfg
  3. Locate Firewall table and change IKEVersion variable from ikev1 to ikev2.
    ike_enable.png
  4. Save the changes. In the Nano editor click CTRL + O to write out the modification. Press Enter to save the file.
    ike_enable2.png
  5. Restart the main Winroute process by executing the following command:
    /etc/boxinit.d/60winroute restart

Enable only IKEv2 using Tiny Database Client

  1. Log in to Kerio Control via SSH.
  2. Run - /opt/kerio/winroute/tinydbclient "update Firewall set IKEVersion=ikev2"
  3. Run - /etc/boxinit.d/60winroute restart - this will restart your Kerio Control and drop all current connections.

Enable both IKEv1 and IKEv2 using Tiny database client

This requires setting the IKEVersion parameter to only ike. This will use IKEv2 for initiation but will enable both IKEv1 and IKEv2 when responding. Below are the steps for the same:

  1. Log in to Kerio Control via SSH.
  2. Run - /opt/kerio/winroute/tinydbclient "update Firewall set IKEVersion=ike"
  3. Run - /etc/boxinit.d/60winroute restart - this will restart your Kerio Control and drop all current connections.

Testing

Kerio Control is now enabled to support IKEv2. The changes are reflected in the IPSec configuration file /etc/ipsec.conf. The value of the parameter keyexchange in the file will be set to ikev2 or ike as per the selected method previously.

 

Important Considerations

  • It is safe to make such changes from the remote PC using SSH.
  • IKEv2 VPN transport in Kerio Control is not fully supported as it requires an extra plugin EAP-PEAP to authenticate users against Kerio Control then assign them an IP. The current plugin works with IKEv1 because it supports PPP meanwhile IKEv2 doesn't. iOS devices require EAP authentication which is not supported.

 

Related articles