Overview
When trying to connect Kerio Control to other VPN gateways (Azure, Comcast, Mikrotik, etc) through a secure tunnel, the Kerio Control needs a specific configuration to be enabled. The remote VPN Gateways support IKEv2 protocol only.
This article briefs the procedure to enable IKEv2 support for Kerio Control 9.3 and later.
Solution
The different ways to enable this support are provided below:
- Enable IKEv2 by editing a configuration file
- Enable only IKEv2 using Tiny database client
- Enable both IKEv1 and IKEv2 using Tiny database client
Enable IKEv2 by Editing a Configuration File
- Log in to Kerio Control via SSH.
- Open the
/var/winroute/winroute.cfg
file. You can use Nano or Vim editor. The commands are:nano /var/winroute/winroute.cfg
vi /var/winroute/winroute.cfg
- Locate Firewall table and change IKEVersion variable from ikev1 to ikev2.
- Save the changes. In the Nano editor click CTRL + O to write out the modification. Press Enter to save the file.
- Restart the main Winroute process by executing the following command:
/etc/boxinit.d/60winroute restart
Enable only IKEv2 using Tiny Database Client
- Log in to Kerio Control via SSH.
- Run -
/opt/kerio/winroute/tinydbclient "update Firewall set IKEVersion=ikev2"
- Run -
/etc/boxinit.d/60winroute restart
- this will restart your Kerio Control and drop all current connections.
Enable both IKEv1 and IKEv2 using Tiny database client
This requires setting the IKEVersion
parameter to only ike
. This will use IKEv2 for initiation but will enable both IKEv1 and IKEv2 when responding. Below are the steps for the same:
- Log in to Kerio Control via SSH.
- Run -
/opt/kerio/winroute/tinydbclient "update Firewall set IKEVersion=ike"
- Run -
/etc/boxinit.d/60winroute restart
- this will restart your Kerio Control and drop all current connections.
Testing
Kerio Control is now enabled to support IKEv2. The changes are reflected in the IPSec configuration file /etc/ipsec.conf
. The value of the parameter keyexchange
in the file will be set to ikev2
or ike
as per the selected method previously.
Important Considerations
- It is safe to make such changes from the remote PC using SSH.
- IKEv2 VPN transport in Kerio Control is not fully supported as it requires an extra plugin EAP-PEAP to authenticate users against Kerio Control then assign them an IP. The current plugin works with IKEv1 because it supports PPP meanwhile IKEv2 doesn't. iOS devices require EAP authentication which is not supported.