Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » VPN / Load Balancing / Routing Problem
  •  
kellydanielc

Messages: 4
Karma: 0
Send a private message to this user
HI All,

I having issues with the Kerio to Kerio VPN in relation to using it with load balanced internet links. To explain the issue here is my setup :

Main Site -> 3 Internet Links -> 2 of them 0% load balanced to use traffic policies to seperate the traffic on each link

Link 1 -> Dedicated to VPN (VPN)
Link 2 -> Dedicated to Email / Web (DIALIN)
Link 3 -> Web traffic and everything else (WEB)

For Demonstration the IP address of the Public Interface of each link is :-

Link 1 -> 203.1.1.1
Link 2 -> 203.2.2.2
Link 3 -> Dynamic IP

VPN Server -> 172.27.156.1

The Remote VPN site has a single internet connection. Public IP 203.4.4.4

So i have created the Kerio VPN Rule for connecting the two sites with a Translation set to NAT(VPN) so it forces it to go out the VPN link (Link 1). I have a similar rule forcing SMTP / WebMail etc to be translated to NAT(DIALIN) so it uses Link 2. There is also the default rue which forces everything else out NAT(Web) so it uses Link3. Now here is where the problem occurs and I cant see where it is being created :-

I create the VPN link between the two sites. The tunnel is established and I can ping and do all the VPN related functions correctly.

However when I try to browse the webmail server from the remote site using the external IP address / DNS name it fails. For example from the remote site I try to browse https://203.2.2.2/exchange it times out. When I try to browse the internal IP address of the exchange server across the VPN it works. https://192.168.100.3/exchange.

I have a Port Forwarding rule that takes all HTTPS traffic from Link2 and Translates it to the same port on the internal address 192.168.100.3

Further diagnosis of the problem led me into the Routing table. When the VPN connection is being established a new System route is being created with the following details :-

System Route
Network = 203.4.4.4 (Remote networks Public IP Address)
Mask = 255.255.255.255
Gateway = 10.1.1.1 (Gateway of Link 3 which is Web connection)
Interface = Web (Link3)
Metric = 10

So when the remote site tries to browse the webmail site I trace the packet so it comes in via Link 2 and gets passed onto the Local connection then the packet goes back out the Link 3 connection (due to the above system route) and hence fails since it should be going out the Link 2 which is where the packet came in from.

All I have to do to get it to work is delete the route but whenever the VPN restarts or Kerio restarts that route is automatically re-added.

So I cant see why the Kerio is creating that rule and where it is getting the Link 3 from to create the route.

Does any1 have any insite or ideas or need me to post more information?

Thanks in advance.







  •  
Jan Jezek (Kerio)

Messages: 103
Karma: 0
Send a private message to this user
Well, you probably ran into a very interesting bug. I will file it into our bug tracking system and we'll see what can be done about it.

Since all of your load balancing is done manually (you use specific interfaces in your NAT traffic rules), there is an easy workaround. On the Interfaces screen, set your link3 bandwidth to zero and your link1 (the VPN link) bandwidth so it has the highest value of all the three links. Again, since your load balancing is manual, that should not affect how the traffic is distributed. Then disable/enable the VPN tunnel.

Jan Jezek
Product Development Manager - Kerio Control
Kerio Technologies
  •  
kellydanielc

Messages: 4
Karma: 0
Send a private message to this user
Jan,

Thank you for your response. I have been pulling my hair out for days trying to fix this problem. I have re-adjusted the link load balancing and the system is working perfectly.

Thank you again.

Daniel.
  •  
giampos

Messages: 187
Karma: 2
Send a private message to this user
kellydanielc wrote on Wed, 10 June 2009 00:38
HI All,


So i have created the Kerio VPN Rule for connecting the two sites with a Translation set to NAT(VPN) so it forces it to go out the VPN link (Link 1). I have a similar rule forcing SMTP / WebMail etc to be translated to NAT(DIALIN) so it uses Link 2. There is also the default rue which forces everything else out NAT(Web) so it uses Link3. Now here is where the problem occurs and I cant see where it is being created :-




Please, can you show me a rule example to force Vpn tunnel to a specific interface, and force services (smtp,http) to another??
And how can you create a manual fail-over for Vpn tunnel?
  •  
enman

Messages: 17
Karma: -2
Send a private message to this user
Everything looks wonderful, unless you take into account that a connection to an external server with multiple network interfaces will be possible only to the address that the VPN connection is established. Since VPN server adds a table of routes all connections through the default gateway. The result is asymmetrical routing and packet arrives at one interface will back away from the other interface. I went a month to have to figure out what it is all the same bug.

After connecting VPN tunnel - can not connect to any of the external address of the server, in addition to which the connection is established. After you remove the routes from the routing table everything works fine, but when they reconnect again added.

English is not my language, I am sorry for my bad english. But I read better than I write. Smile Google helped me to write this text. Thank you for your answers.

[Updated on: Sat, 24 July 2010 13:56]

  •  
llxmanll

Messages: 3
Karma: 0
Send a private message to this user
This issue:
has two offices, each office has its own LAN, you want to combine these two offices via VPN-tunnel through the Inet.
2 pc's as routers on the same 2003 server and control 7.0.1, the second winserv 2008 sp2, and control 7.0.1.
on each computer on the 2 network cards, one office-lan, another local provider, your ISP Inet connected with l2tp connections through its local area.
in the end we have 3 interface:
- Local provider
- Local office
- Inet provider l2tp-vpn.

Create both winroute VPN-tunnel, like all wonderful, yet simple rules, to allow all and everywhere. Routes all machine and by default.
VPN connects with 2008 server vinrout with 2003rd server, ie 2008 active, 2003 the passive.
VPN connected, and in 2003 no problem. But in 2008 an external IP, which it is connected becomes unavailable. Winroute automatically adds a route type "ip passive pc to lan isp" get what he wants to climb to internet through a local ... and the Internet is not there.


as a result nothing works, how to solve the problem? Perhaps winroute simply did not work properly with win2008.
Under win2003, added a similar route, only the appointment of his as it should be on VPN-internet interface.

screenshot lower route


Sorry for my English. It is not my native language, I hope to help.

  • Attachment: 12321312.jpg
    (Size: 46.61KB, Downloaded 1081 times)
  •  
Jan Jezek (Kerio)

Messages: 103
Karma: 0
Send a private message to this user
You have two default routes in the routing table on your system. That's the reason. If somehow you could remove the default route to 192.168.1.1, that would help.

Jan Jezek
Product Development Manager - Kerio Control
Kerio Technologies
  •  
llxmanll

Messages: 3
Karma: 0
Send a private message to this user
If you delete the route 192.168.1.1, IP-address of the provider, which connects to the VPN, will not be available. 192.168.1.1 is the main gateway lan isp. Such problems on server 2003 no.

[Updated on: Thu, 26 August 2010 21:49]

Previous Topic: Unable to save to sent messages
Next Topic: Snort is a RAM monster ?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 15:40:26 CET 2017

Total time taken to generate the page: 0.00420 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.