Overview
When IKE rekeying is being done between Kerio Control (initiator) and an external firewall (responder), the VPN tunnel connection goes down for some time after every few hours. This causes the users connected to the VPN to disconnect and hence, requires them to reauthenticate.
Solution
Below are the steps to resolve this issue with the VPN IPSec tunnel:
- SSH into Kerio Control.
- Enter the below the command with the appropriate name of your tunnel:
/opt/kerio/winroute/tinydbclient "update VpnTunnels_v2 set CustomOptions={'rekey=\"no\"','reauth=\"no\"','ikelifetime=\"3\"','lifetime=\"1\"'} where name='tunnel-name'"
This command will disable reauthentication, disable rekey, and increase lifetime values for the tunnel. These can be edited as per your environment. Make sure to match these on the external firewall device also.
IMPORTANT: if the tunnel-name contains any of the following characters, they should be escaped in the command: Period (.), Asterisk (*), Plus (+), Question Mark (?), Caret (^), Dollar Sign ($), Parentheses (( and )), Brackets ([ and ]), Braces ({ and }), Pipe (|), Backslash (\), Slash (/), Quote ('), Double Quotes (").
For example: a tunnel named "VPN (external)", should be rewritten as "VPN \(external\)" when the command is run
-
Reboot Kerio Control using the
reboot
command.
These changes will be applicable even after any reboots of the Kerio Control device.
Testing
The IPSec VPN tunnel stays connected for users and no disconnection issues are seen.
In case the issue persists, open a support ticket with us with the below information:
- Provide the Support information file from the Kerio Control web interface from Status > System Health > Support information.
-
Debug logs with the
IPSec
optionsCharon output
,General
,L2TPD output
, andPPPD output
enabled. - Error, Warning, and Security logs.
- Any information and logs from the external firewall.