Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Internal routers to other offices (long post)
  •  
luca.civinini@ctt

Messages: 32
Karma: 2
Send a private message to this user
Hello,
I started playing with KErio in September since this is the corporate firewall choice of my company. I've previously worked with Linux IPTABLES, ISA and PIX & ASA applicances.

Today I replaced one of the company firewall (an old ISA 2000) with a KWF box. Basically all worked well, but I'm facing a strange problem. This is the layout I'm dealing with:

OFFICE1
Subnet 172.16.0.0/24
Kerio machine: 172.16.0.1
PC1: 172.16.0.30
router to OFFICE2: 172.16.0.254

OFFICE2
Subnet 172.16.1.0/24
Kerio machine: 172.16.1.1
PC2: 172.16.1.30
router to OFFICE1: 172.16.1.254

Basically each office has an Internet connection managed by Kerio and a site-to-site connection via MPLS wan. The idea is that each client should use the MPLS for office-to-office traffic and kerio for Internet Access.
I also need Kerio as Default gateway for clients in both networks.
I've configured the proper routing in both kerio and also configured an ACL to allow any traffic from trusted network to trusted network, but something strange occurs.

Consider both PC1 and PC2 as in the table above:
From PC1 I can ping PC2 (so routing seems to work) but if I try to connect to RDP con PC2 I fail. Now I ping PC1 from PC2 and I get replies. After those "cross ping" I can connect from PC1 to PC2 using RDP.

Based on my TCP/IP knowledge, I was expecting that Kerio will raise an ICMP redirect every time it get packets that should be routed elsewhere, but seems there are some exception.

When I ping PC2 from PC1, I can correctly see an entry on PC1's routing table saying that to reach PC2 it has to change the gateway to MPLS router. But if I look to the routing table on PC2 (after the PING) I cannot see a similar entry. And in this case the connection from PC1 to PC2 doesn't work.

If I then ping PC1 from PC2, then the routing table entry appears on PC2 (as expected) and so the connection from PC1 to PC2 works.

I Suspect that kerio is dropping some packets. Let's start from the beginning (no routing table entry on PC1 and PC2):
1) PC1 send a SYN to PC2
2) the SYN segment reachs the kerio on PC1 network
3) Kerio send and ICMP redirect to PC1 which then adds an entry to it's routing table
4) the SYN packet flows throu the MPLS line (i.e. routers 172.16.0.254 - 172.16.1.254) and reachs PC2
5) PC2 replies with a SYN+ACK.
6) The SYN+ACK packet reachs the kerio on PC2 network.
7) Kerio sees a SYN+ACK packet but it's missing the SYN in it's statefull table, so it drops the packet.

The same doesn't happen with ICMP (ping) because ICMP is a stateless protocol.

Does it make sense or did I miss something in the configuration?
Thanks for your patience and support

LC
  •  
Jan Jezek (Kerio)

Messages: 103
Karma: 0
Send a private message to this user
I don't quite understand why the redirect works for ping and not for RDP. Perhaps there's something in the traffic policy. Nonetheless, in this scenario, you may want to disable Require3WayHandshake in the winroute.cfg files on both sides (when the firewall is stopped).

Jan Jezek
Product Development Manager - Kerio Control
Kerio Technologies
  •  
luca.civinini@ctt

Messages: 32
Karma: 2
Send a private message to this user
The only reason I see is that PING (ICMP) is stateless, so since Kerio doesn't have the state for ICMP (altought it should use the ICMP ID to proper evaluate each reply) it passes the packet.

Thanks for the info on the key on configuration file, but before trying such solution I would like to know if this settings will disable the check on all interfaces, thus exposing my external interface to some kind of attacks (Out of Order).

Thanks for the reply

LC
  •  
cantalwayswin

Messages: 1
Karma: 0
Send a private message to this user
Can you treat the MPLS as just another internet connection then setup VPN to route the interoffice traffic? I know this is adding an otherwise unnecessary layer, but it should work.
  •  
luca.civinini@ctt

Messages: 32
Karma: 2
Send a private message to this user
Hello,
this is of course an option, but the big issue is that the MPLS WAN is not under my control and it's quite difficult to get some configuration from the carrier we use.

I'll probably configure an L3 switch (used for server) in both offices to act as default gateway for all clients.

Will keep the community informed about my solution.
  •  
icalvo

Messages: 1
Karma: 0
Send a private message to this user
I have the same problem as Luca.
Any solution, please?????

thanks in advance
  •  
luca.civinini@ctt

Messages: 32
Karma: 2
Send a private message to this user
Hello icalvo,
I'm still facing with the problem above. In the meanwhile I mitigated the issue using DHCP to pass additional routes to my clients. It will work only if your clients are at least Windows XP and if your DHCP server is 2003 (mine is 2K so I used the Win2003 DHCP MMC to configure those options).

From my point of view, the best answer is to use a "real router" for that job. In my network I ended up asking my provider to modify the config of their MPLS routers so they know the 0.0.0.0/0 route (this ruote is "local" to each router and will not be passed throu MPLS). I'm still working on it and hope to solve the issue within november.

If the provider won't cooperato on such config, I plan to but some low level routers with a single interface (like Cisco 1800),put one for each office and use them as Defautkl gateway for clients.

I decided not to disable the Require3WayHandshake because I think it would really weaken my firewalls (on most sites Kerio is directly connected to Internet).

I also tried to use the RRAS feature of Win2003 but it didn't work because (I think) Kerio is working at a lower level (device driver level) and so packets are not passed to RRAS service.

It would be nice if, in a future release, Kerio will provide a way to disable the Require3WayHandshake parameter per interface.

Ciao
Previous Topic: Block MSN, Yahoo Messengers
Next Topic: Changing KWF Hostname - On VMware ESXi Virtual Appliance
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Sep 21 12:35:04 CEST 2017

Total time taken to generate the page: 0.00452 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.