Overview

While trying to set up an IPsec VPN connection between two offices, the tunnel disconnects after reaching a 2 hours timeout. Afterward, the tunnel reconnects within 10-15 seconds.

The error logs show the following entries:

  IPsec: Failed to establish connection with remote endpoint x.x.x.x: IP/Route configuration mismatch

This article provides explanations on how to resolve such IPsec VPN problem.

Solution

Kerio Control has a built-in timeout for rekeying authentication every 2 hours. This can be verified by executing ipsec statusall command when connected through an SSH console.

The IP/Route configuration mismatch error is generated when Kerio Control cannot identify the correct IP addresses and gateway values of a remote site. To resolve such an issue, specify the correct IP address in VPN tunnel properties -> Remote Networks.

An example of IPsec VPN tunnel Remote Networks settings between NG110 and NG300W boxes is presented below.

NG110 settings

WAN IP: 192.168.1.2

LAN switch: 10.10.12.1

Remote Networks:

• Network: 10.10.10.1 (NG300W LAN IP)
• Mask: 255.255.255.255

NG300W settings

WAN IP: 192.168.1.6

LAN switch: 10.10.10.1

Remote Networks:

• Network: 10.10.12.1 (NG110 LAN IP)
• Mask: 255.255.255.255

If you're using 3rd-party firewall solutions, the IPSec tunnel configuration can be modified manually via ipsec.conf. For more information, please refer to Adjusting Values for IPSec VPN Using Kerio Control.