GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Control » IPSEC VPN Problem (IPSEC VPN with Kerio Control behind router)
IPSEC VPN Problem [message #105538] Fri, 16 August 2013 00:22 Go to next message
AndrisGazda is currently offline  AndrisGazda
Messages: 12
Registered: May 2013
Cannot connect from internet to Kerio Control wich is behind Mikrotik RB450G router with IPSEC VPN. I've set the forwardings on router, but still cannot connect, preshared key is the same. As I found on the internet, IPSEC doesn't work when the VPN/authetification server is behind NAT/firewall as in my case. The problem is that VPN access is needed from outside the network, from cell phones, tablets too, where Kerio VPN client cannot be installed this category of devices.



Re: IPSEC VPN Problem [message #105542 is a reply to message #105538] Fri, 16 August 2013 05:58 Go to previous messageGo to next message
mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney
One suggestion is to use your Mikrotik RB450G router in bridge mode and let Kerio Control have the public IP address so no mapping is needed.

M.


PTSD. BP. OCD. ASPD. BPD. Certified.
Re: IPSEC VPN Problem [message #105549 is a reply to message #105542] Fri, 16 August 2013 08:38 Go to previous messageGo to next message
AndrisGazda is currently offline  AndrisGazda
Messages: 12
Registered: May 2013
Thanks, but is not possible because there is implemented the failover switching between the 2 internet connections and also the physical firewall role too.Other problem is that cannot add more network cards in the pc what is used for virtualization for Kerio Control. I don't trust Kerio Control's failover, last time when I tested it the switching back after the primary connection was restored didn't worked.

My question is, what if I set up a VPN server on router and I make a tunnel between Kerio and RB450G ? With this would be possible to access the internal network ? Only access to internal network is needed in secure conditions from VPN clients, no need for accessing the internet thorough VPN.
RB450G can deal with IPSEC, PPTP, PPPoE too.
Re: IPSEC VPN Problem [message #105574 is a reply to message #105549] Fri, 16 August 2013 15:41 Go to previous messageGo to next message
silars is currently offline  silars
Messages: 285
Registered: March 2012
1. Have you tried to capture packets on the Control device to verify forwarding is occurring properly?

2. Have you considered setting up a VPN server internally to Control? I use an internal VPN server to handle PPTP (Control doesn't do PPTP) and IPsec. Android, iOS, and Windows phones/tablets support PPTP.

3. Can you post your IPsec forwarding rules on the RB450G?

[Updated on: Fri, 16 August 2013 15:52]

Report message to a moderator

icon14.gif  Re: IPSEC VPN Problem [message #105576 is a reply to message #105574] Fri, 16 August 2013 16:01 Go to previous messageGo to next message
AndrisGazda is currently offline  AndrisGazda
Messages: 12
Registered: May 2013
I read on Mikrotik forum about that IPSEC is not working if the VPN server is behind router/NAT. How to capture the packets if the router and the virtual machine ar connected directly with cable ?
Thanks a lot for the idea with the internal VPN server !!! I will try to go on this direction. Smile
Re: IPSEC VPN Problem [message #105581 is a reply to message #105576] Fri, 16 August 2013 17:27 Go to previous messageGo to next message
silars is currently offline  silars
Messages: 285
Registered: March 2012
You do need NAT Traversal support for IPsec for that to work. If Mikrotik doesn't support NAT Traversal for IPsec, this will only work if your IPsec VPN connections are in Tunnel mode. I don't believe all of your clients will support that.

The other option is to consider PPTP. It is less secure, but port forwarding is a lot easier.
Re: IPSEC VPN Problem [message #105582 is a reply to message #105576] Fri, 16 August 2013 17:59 Go to previous message
AndrisGazda is currently offline  AndrisGazda
Messages: 12
Registered: May 2013
IPSEC-ESP,IPSEC-AH,UDP ports 500,1701,4500,5500

At all the NAT/forwarding settings are the same : General tab- Chain:dst-nat, dst address:public IP (assigned by provider)
Action tab- Action dst-nat, To address:Kerio WAN interface IP address, Port:the same as on General tab
Previous Topic: I need 2 network cards?
Next Topic: RDP from some user does't connect
Goto Forum:
  


Current Time: Thu Jun 01 05:34:55 CEST 2023

Total time taken to generate the page: 0.07946 seconds