GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Control » IPSec fine tuning (IPSec tunnel is established, but disconnects)
IPSec fine tuning [message #126221] Sat, 05 December 2015 21:39 Go to next message
Baguk
Messages: 18
Registered: March 2015
Dear Kerio Support, Dear All,

I'm still evaluating Kerion Control. I was almost ready to purchase a license after my latest achivement - to use Kerio Control to connect to Windows Azure. However, even it was ok at the first look, it not seems to work for production envrionment.

Well, the connection is established successfully to "Static" Gateway, you can reach resources on Azure. Everything as it should be. However, five minutes later the conneciton is dropped down and redialed again successfully. In the log there is lot of repeating events:

[05/Dec/2015 21:23:59] TUNNELSTATUS(DOWN) firewall="xxx" hostip="" hostname="" name="Microsoft Azure" username=""
[05/Dec/2015 21:24:58] TUNNELSTATUS(UP) endpoint="yyy" firewall="xxx" hostip="" hostname="" name="Microsoft Azure" username=""
[05/Dec/2015 21:29:59] TUNNELSTATUS(DOWN) firewall="xxx" hostip="" hostname="" name="Microsoft Azure" username=""
[05/Dec/2015 21:30:58] TUNNELSTATUS(UP) endpoint="yyy" firewall="xxx" hostip="" hostname="" name="Microsoft Azure" username=""

clearly identifes that the conneciton is disconnect and connects again and again from the Kerio. Same time the same connections kept for monthes with Windows Server 2012 R2 RRAS and also StrongSwan. I assume, that this is related to settings like key lifetime and so on, which could be configured by ipsec.conf.

My question in this case: can we conigure ipsec.conf (or other settings of IPSEC Tunnel) in details, such as keylifetime and so on, as it seems to be required from industry's standard Microsoft Azure.

Thank you!

Best Regards,
Baguk
Re: IPSec fine tuning [message #126263 is a reply to message #126221] Tue, 08 December 2015 08:14 Go to previous messageGo to next message
Baguk
Messages: 18
Registered: March 2015
Well, my experiments continues. I got successfull and stable working VPN tunnel to azure by modifying file /var/etc/ipsec.conf directly. I know this is not the proper way, as the file is automatically generated by Kerio. For me was important to test if the "correct" ipsec.conf solves the problem and it obvisosly did. So my current question:

is there any documentation on winroute.cfg file available? I want to adjust this file corresponding way, so the right ipsec.conf will be generated. I tried to use keywords in it, but it seems to be ignored. Does anybody have idea about schema for winroute.cfg?

Thank you and Best Regards!
Baguk
Re: IPSec fine tuning [message #135214 is a reply to message #126263] Sun, 23 April 2017 21:47 Go to previous messageGo to next message
potiff is currently offline  potiff
Messages: 7
Registered: April 2015
hi sorry to bring up this old post.
would you kindly share your configuration settings for connecting to Azure
mine stuck at "none of the proposed crypto suites was acceptable"
Re: IPSec fine tuning [message #135215 is a reply to message #135214] Mon, 24 April 2017 07:42 Go to previous messageGo to next message
Baguk
Messages: 18
Registered: March 2015
Hi potiff,

Finally I changed type of the Azure Gateway to static, so I can use standard setup of Kerio with following custom ciphers:

Encryption-Integrity-DH Groups

aes256-sha1-modp1024
aes256-sha1-none (no PFS)
Re: IPSec fine tuning [message #135224 is a reply to message #135215] Tue, 25 April 2017 05:53 Go to previous messageGo to next message
potiff is currently offline  potiff
Messages: 7
Registered: April 2015
Thank you for your prompt reply
its connected! switching over to static routing works.
Thank you very much
Re: IPSec fine tuning [message #145698 is a reply to message #135224] Fri, 03 May 2019 11:40 Go to previous messageGo to next message
NETGRAMMER is currently offline  NETGRAMMER
Messages: 10
Registered: April 2019
Hello Having the same problem, can you post detailed configuration of Kerio
I can connect to IPSec VPN from Linux (IPsec.conf)

I need to configure that on Kerio.

config setup
interfaces="%defaultroute"
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=
oe=off
protostack=netkey
conn ConnectionName
type=tunnel
authby=secret
auto=start
pfs=no
keyexchange=ike
left=My-Wan-IP
leftsubnet=My-Wan-IP/Subnet
right=WanIp-where-connecting
rightsubnet=WanIp-where-connecting/subnet
ike=aes256-sha1;modp1024
phase2=esp
phase2alg=aes256-sha1
ikelifetime=8h
keylife=1h

Can't connect, saying: "none of the proposed crypto suites was acceptable"

I also created a traffic rule

NAME: VPN, SOURCE: ANY, DESTINATION: FIREWALL, SERVICE: IPSEC, KERIO VPN, ACTION: ALLOW...

What I did incorrectly?

Re: IPSec fine tuning [message #146058 is a reply to message #145698] Tue, 25 June 2019 08:21 Go to previous message
potiff is currently offline  potiff
Messages: 7
Registered: April 2015
refer attachment

i can't post link, google this www.vioreliftode.com/index.php/on-premises-site-2-site-vpn-w ith-azure-using-tomato-shibby-mod-entware-ng-and-strongswan- setup-part-3
  • Attachment: azure.png
    (Size: 38.03KB, Downloaded 740 times)
Previous Topic: IKEv2
Next Topic: Kerio Control
Goto Forum:
  


Current Time: Mon Sep 25 06:14:07 CEST 2023

Total time taken to generate the page: 0.04705 seconds