Administrator's Guide - Kerio Software Archive
Administrator's Guide - Kerio Software Archive Administrator's Guide - Kerio Software Archive
Kerio VPN used network is used (the automatic detection is not performed again). Warning: Make sure that the subnet for VPN clients does not collide with any local subnet! Kerio Control can detect a collision of the VPN subnet with local subnets. The collision may arise when configuration of a local network is changed (change of IP addresses, addition of a new subnet, etc.), or when a subnet for VPN is not selected carefully. If the VPN subnet collides with a local network, a warning message is displayed upon saving of the settings (by clicking Apply in the Interfaces tab). In such cases, redefine the VPN subnet. Figure 23.3 VPN server — detection of IP collision It is recommended to check whether IP collision is not reported after each change in configuration of the local network or/and of the VPN! Notes: 1. Under certain circumstances, collision with the local network might also arise when a VPN subnet is set automatically (if configuration of the local network is changed later). 2. Regarding two VPN tunnels, it is also examined when establishing a connection whether the VPN subnet does not collide with IP ranges at the other end of the tunnel (remote endpoint). If a collision with an IP range is reported upon startup of the VPN server (upon clicking Apply in the Interfaces tab), the VPN subnet must be set by hand. Select a network which is not used by any of the local networks participating in the connection. VPN subnets at each end of the tunnel must not be identical (two free subnets must be selected). 3. VPN clients can also be assigned IP addresses according to login usernames. For details, see chapter 16.1. SSL certificate Information about the current VPN server certificate. This certificate is used for verification of the server’s identity during creation of a VPN tunnel (for details, refer to chapter 23.3). The VPN server in Kerio Control uses the standard SSL certificate. When defining a VPN tunnel, it is necessary to send the local endpoint’s certificate fingerprint to the remote endpoint and vice versa (mutual verification of identity — see chapter 23.3). Hint: Certificate fingerprint can be saved to the clipboard and pasted to a text file, email message, etc. Click Change SSL Certificate to set parameters for the certificate of the VPN server. For 310
23.1 VPN Server Configuration the VPN server, you can either create a custom (self-subscribed) certificate or import a certificate created by a certification authority. The certificate created is saved in the sslcert subdirectory of the Kerio Control installation directory as vpn.crt and the particular private key is saved at the same location as vpn.key. Methods used for creation and import of SSL certificates are described thoroughly in chapter 12.1. Note: If you already have a certificate created by a certification authority especially for your server (e.g. for secured Web interface), it is also possible to use it for the VPN server — it is not necessary to apply for a new certificate. DNS configuration for VPN clients To allow VPN clients to access to local hosts using the hostnames, they need at least one local DNS server. Figure 23.4 VPN server settings — specification of DNS servers for VPN clients The Kerio Control’s VPN server allows for the following options of DNS server configuration: • Use Kerio Control as DNS server — IP address of a corresponding interface of Kerio Control host will be used as a DNS server for VPN clients (VPN clients will use the DNS module; see chapter 9.1). This is the default option in case that the DNS module is enabled in Kerio Control. If the DNS module is already used as a DNS server for local hosts, it is recommended to use it also for VPN clients. The DNS module provides the fastest responses to client DNS requests and possible collision (inconsistency) of DNS records will be avoided. • Specific DNS servers — primary and optionally also secondary DNS server will be set for VPN clients. 311
- Page 259 and 260: 19.2 Network connections overview
- Page 261 and 262: 19.2 Network connections overview F
- Page 263 and 264: 19.4 Alerts • Session duration.
- Page 265 and 266: 19.4 Alerts • Connection failover
- Page 267 and 268: 19.4 Alerts Click an event to view
- Page 269 and 270: 20.1 Volume of transferred data and
- Page 271 and 272: 20.2 Interface statistics Figure 20
- Page 273 and 274: 20.2 Interface statistics Figure 20
- Page 275 and 276: 21.1 Monitoring and storage of stat
- Page 277 and 278: 21.2 Settings for statistics and qu
- Page 279 and 280: 21.3 Connection to StaR and viewing
- Page 281 and 282: 21.3 Connection to StaR and viewing
- Page 283 and 284: 22.1 Log settings Figure 22.1 Log s
- Page 285 and 286: 22.1 Log settings Figure 22.3 Syslo
- Page 287 and 288: 22.2 Logs Context Menu • Target f
- Page 289 and 290: 22.3 Alert Log Figure 22.7 Highligh
- Page 291 and 292: 22.5 Connection Log A typical examp
- Page 293 and 294: 22.6 Debug Log The expression must
- Page 295 and 296: 22.7 Dial Log 3. Disconnection caus
- Page 297 and 298: 22.9 Filter Log • 8000-8099 — H
- Page 299 and 300: 22.10 Http log Packet log example:
- Page 301 and 302: 22.11 Security Log An example of Ht
- Page 303 and 304: 22.11 Security Log Example: [17/Jul
- Page 305 and 306: 22.13 Warning Log Events causing di
- Page 307 and 308: Chapter 23 Kerio VPN Kerio Control
- Page 309: 23.1 VPN Server Configuration Figur
- Page 313 and 314: 23.1 VPN Server Configuration Kerio
- Page 315 and 316: 23.3 Interconnection of two private
- Page 317 and 318: 23.3 Interconnection of two private
- Page 319 and 320: 23.3 Interconnection of two private
- Page 321 and 322: 23.4 Exchange of routing informatio
- Page 323 and 324: 23.5 Example of Kerio VPN configura
- Page 325 and 326: 23.5 Example of Kerio VPN configura
- Page 327 and 328: 23.5 Example of Kerio VPN configura
- Page 329 and 330: 23.5 Example of Kerio VPN configura
- Page 331 and 332: 23.5 Example of Kerio VPN configura
- Page 333 and 334: 23.5 Example of Kerio VPN configura
- Page 335 and 336: 23.6 Example of a more complex Keri
- Page 337 and 338: 23.6 Example of a more complex Keri
- Page 339 and 340: 23.6 Example of a more complex Keri
- Page 341 and 342: 23.6 Example of a more complex Keri
- Page 343 and 344: 23.6 Example of a more complex Keri
- Page 345 and 346: 23.6 Example of a more complex Keri
- Page 347 and 348: 23.6 Example of a more complex Keri
- Page 349 and 350: 23.6 Example of a more complex Keri
- Page 351 and 352: 23.6 Example of a more complex Keri
- Page 353 and 354: 23.6 Example of a more complex Keri
- Page 355 and 356: 23.6 Example of a more complex Keri
- Page 357 and 358: 23.6 Example of a more complex Keri
- Page 359 and 360: 23.6 Example of a more complex Keri
23.1 VPN Server Configuration<br />
the VPN server, you can either create a custom (self-subscribed) certificate or import<br />
a certificate created by a certification authority. The certificate created is saved in the<br />
sslcert subdirectory of the <strong>Kerio</strong> Control installation directory as vpn.crt and the<br />
particular private key is saved at the same location as vpn.key.<br />
Methods used for creation and import of SSL certificates are described thoroughly in<br />
chapter 12.1.<br />
Note: If you already have a certificate created by a certification authority especially for<br />
your server (e.g. for secured Web interface), it is also possible to use it for the VPN server<br />
— it is not necessary to apply for a new certificate.<br />
DNS configuration for VPN clients<br />
To allow VPN clients to access to local hosts using the hostnames, they need at least one local<br />
DNS server.<br />
Figure 23.4<br />
VPN server settings — specification of DNS servers for VPN clients<br />
The <strong>Kerio</strong> Control’s VPN server allows for the following options of DNS server configuration:<br />
• Use <strong>Kerio</strong> Control as DNS server — IP address of a corresponding interface of <strong>Kerio</strong><br />
Control host will be used as a DNS server for VPN clients (VPN clients will use the DNS<br />
module; see chapter 9.1). This is the default option in case that the DNS module is<br />
enabled in <strong>Kerio</strong> Control.<br />
If the DNS module is already used as a DNS server for local hosts, it is recommended<br />
to use it also for VPN clients. The DNS module provides the fastest responses to client<br />
DNS requests and possible collision (inconsistency) of DNS records will be avoided.<br />
• Specific DNS servers — primary and optionally also secondary DNS server will be set<br />
for VPN clients.<br />
311