Overview
While trying to set up an IPsec VPN connection between two offices, the tunnel disconnects after reaching a 2 hours timeout. Afterward, the tunnel reconnects within 10-15 seconds.
The error logs show the following entries:
IPsec: Failed to establish connection with remote endpoint x.x.x.x: IP/Route configuration mismatch
This article provides explanations on how to resolve such IPsec VPN problem.
Solution
Kerio Control has a built-in timeout for rekeying authentication every 2 hours. This can be verified by executing ipsec statusall
command when connected through an SSH console.
The IP/Route configuration mismatch error is generated when Kerio Control cannot identify the correct IP addresses and gateway values of a remote site. To resolve such an issue, specify the correct IP address in VPN tunnel properties -> Remote Networks.
An example of IPsec VPN tunnel Remote Networks settings between NG110 and NG300W boxes is presented below.
NG110 settings
WAN IP: 192.168.1.2
LAN switch: 10.10.12.1
Remote Networks:
- Network:
10.10.10.1
(NG300W LAN IP) - Mask:
255.255.255.255
NG300W settings
WAN IP: 192.168.1.6
LAN switch: 10.10.10.1
Remote Networks:
- Network: 10.10.12.1 (NG110 LAN IP)
- Mask: 255.255.255.255
If you're using 3rd-party firewall solutions, the IPSec tunnel configuration can be modified manually via ipsec.conf
. For more information, please refer to Adjusting Values for IPSec VPN Using Kerio Control.