Overview
While connecting IPSec or Kerio VPN client user accounts, the connection cannot be established. The login page URL is timing out in browsers if two-step verification is enforced for the users.
Debug logs with "Packets dropped for some reason" enabled may show the following errors:
{pktdrop} packet dropped: VPN Client: 2 step verification not performed. (from IPsec VPN client, proto:TCP, len:64, 1.1.1.1:55941 -> x.x.x.x:443, flags:[SYN], seq:2288240514 ack:0, win:65535, tcplen:0)
{pktdrop} packet dropped: VPN Client: 2 step verification not performed. (from Kerio Control VPN Client <user>, proto:UDP, len:194, 1.2.2.6:51546 -> 192.168.16.3:389, udplen:166)
Solution
VPN 2fa mechanism uses <IP_address_or_FQDN>//nonauth/totpVerify.cs URL. Based on the protocol used (HTTPS or HTTP), the login page redirects to either 4081 or 4080 port. The highlighted error is self-explanatory - the token for 2-step verification was not entered or not configured at all.
Also, the internal VPN server IP will be picked up automatically if you enter the internal (LAN) IP address, skipping the DNS configuration.
If you face any redirection issues on desktop (Kerio VPN client) or mobile devices (IPsec L2TP client), you can try to work around such problems:
- Disable 2fa for the necessary user(s): in Users section, right-click on user -> Disable 2-step verification.
- Connect the VPN device (desktop VPN client or IPsec VPN).
- Once connected, open a browser and navigate to https://<YOUR-KERIO-LOCAL-INTERFACE-IP>:4081//login
- Log in using the user's credentials, then enable and configure 2-step verification. It should show on the user statistics page with "2-step verification is active for your account" info.
- Open https://<YOUR-KERIO-LOCAL-INTERFACE-IP>:4081//nonauth/totpverify.cs and authenticate. "You are now connected" screen is displayed.
Important considerations
"Force hostname for VPN clients" option and custom Reverse Proxy settings may affect the 2-step verification behavior.
By default, Force hostname is disabled
Preconfigured default reverse proxy rule