IPSec fine tuning [message #126221] |
Sat, 05 December 2015 21:39  |
Baguk
Messages: 18 Registered: March 2015
|
|
|
|
Dear Kerio Support, Dear All,
I'm still evaluating Kerion Control. I was almost ready to purchase a license after my latest achivement - to use Kerio Control to connect to Windows Azure. However, even it was ok at the first look, it not seems to work for production envrionment.
Well, the connection is established successfully to "Static" Gateway, you can reach resources on Azure. Everything as it should be. However, five minutes later the conneciton is dropped down and redialed again successfully. In the log there is lot of repeating events:
[05/Dec/2015 21:23:59] TUNNELSTATUS(DOWN) firewall="xxx" hostip="" hostname="" name="Microsoft Azure" username=""
[05/Dec/2015 21:24:58] TUNNELSTATUS(UP) endpoint="yyy" firewall="xxx" hostip="" hostname="" name="Microsoft Azure" username=""
[05/Dec/2015 21:29:59] TUNNELSTATUS(DOWN) firewall="xxx" hostip="" hostname="" name="Microsoft Azure" username=""
[05/Dec/2015 21:30:58] TUNNELSTATUS(UP) endpoint="yyy" firewall="xxx" hostip="" hostname="" name="Microsoft Azure" username=""
clearly identifes that the conneciton is disconnect and connects again and again from the Kerio. Same time the same connections kept for monthes with Windows Server 2012 R2 RRAS and also StrongSwan. I assume, that this is related to settings like key lifetime and so on, which could be configured by ipsec.conf.
My question in this case: can we conigure ipsec.conf (or other settings of IPSEC Tunnel) in details, such as keylifetime and so on, as it seems to be required from industry's standard Microsoft Azure.
Thank you!
Best Regards,
Baguk
|
|
|
Re: IPSec fine tuning [message #126263 is a reply to message #126221] |
Tue, 08 December 2015 08:14   |
Baguk
Messages: 18 Registered: March 2015
|
|
|
|
Well, my experiments continues. I got successfull and stable working VPN tunnel to azure by modifying file /var/etc/ipsec.conf directly. I know this is not the proper way, as the file is automatically generated by Kerio. For me was important to test if the "correct" ipsec.conf solves the problem and it obvisosly did. So my current question:
is there any documentation on winroute.cfg file available? I want to adjust this file corresponding way, so the right ipsec.conf will be generated. I tried to use keywords in it, but it seems to be ignored. Does anybody have idea about schema for winroute.cfg?
Thank you and Best Regards!
Baguk
|
|
|
Re: IPSec fine tuning [message #135214 is a reply to message #126263] |
Sun, 23 April 2017 21:47   |
potiff
Messages: 7 Registered: April 2015
|
|
|
|
hi sorry to bring up this old post.
would you kindly share your configuration settings for connecting to Azure
mine stuck at "none of the proposed crypto suites was acceptable"
|
|
|
Re: IPSec fine tuning [message #135215 is a reply to message #135214] |
Mon, 24 April 2017 07:42   |
Baguk
Messages: 18 Registered: March 2015
|
|
|
|
Hi potiff,
Finally I changed type of the Azure Gateway to static, so I can use standard setup of Kerio with following custom ciphers:
Encryption-Integrity-DH Groups
aes256-sha1-modp1024
aes256-sha1-none (no PFS)
|
|
|
|
Re: IPSec fine tuning [message #145698 is a reply to message #135224] |
Fri, 03 May 2019 11:40   |
NETGRAMMER
Messages: 10 Registered: April 2019
|
|
|
|
Hello Having the same problem, can you post detailed configuration of Kerio
I can connect to IPSec VPN from Linux (IPsec.conf)
I need to configure that on Kerio.
config setup
interfaces="%defaultroute"
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=
oe=off
protostack=netkey
conn ConnectionName
type=tunnel
authby=secret
auto=start
pfs=no
keyexchange=ike
left=My-Wan-IP
leftsubnet=My-Wan-IP/Subnet
right=WanIp-where-connecting
rightsubnet=WanIp-where-connecting/subnet
ike=aes256-sha1;modp1024
phase2=esp
phase2alg=aes256-sha1
ikelifetime=8h
keylife=1h
Can't connect, saying: "none of the proposed crypto suites was acceptable"
I also created a traffic rule
NAME: VPN, SOURCE: ANY, DESTINATION: FIREWALL, SERVICE: IPSEC, KERIO VPN, ACTION: ALLOW...
What I did incorrectly?
|
|
|
Re: IPSec fine tuning [message #146058 is a reply to message #145698] |
Tue, 25 June 2019 08:21  |
potiff
Messages: 7 Registered: April 2015
|
|
|
|
refer attachment
i can't post link, google this www.vioreliftode.com/index.php/on-premises-site-2-site-vpn-w ith-azure-using-tomato-shibby-mod-entware-ng-and-strongswan- setup-part-3
-
Attachment: azure.png
(Size: 38.03KB, Downloaded 740 times)
|
|
|