Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Kerio Control Site to Site VPN with Cisco RV082 (Site to Site VPN with Cisco RV082)
  •  
Scott

Messages: 9
Karma: 1
Send a private message to this user
I have been trying to connect my Kerio Control 8 box to a Cisco RV082 to establish a site to site vpn. I have had no success. Has anyone had any success with this and what settings should I try. I have read the doc here on Kerio site how to setup VPN but not making any progress with any combination.

Kerio Firewall
Active or Passive ?
Local ID (host name of firewall)
Remote ID ????

Cisco RV082 (here is the help doc from it....I am at a loss how to configure it)
Add a New Tunnel

Tunnel No: The ID number, which is automatically generated
Tunnel Name: Enter a name for this VPN tunnel, such as Los Angeles Office, Chicago Branch, or New York Division. This description is for your reference. It does not have to match the name used at the other end of the tunnel.
Interface: Select the WAN port to use for this tunnel.
Enable: Check this box to enable a VPN tunnel. (When you create a VPN tunnel, this check box will be disabled.)

Local Group Setup and Remote Group Setup

Enter the settings described below. The Local settings are for this router, and the Remote settings are for the router on the other end of the tunnel. Be sure to mirror these settings when configuring the VPN tunnel on the other router.

Local/Remote Security Gateway Type: Specify the method for identifying the router to establish the VPN tunnel. The Local Security Gateway is on this router; the Remote Security Gateway is on the other router. At least one of the routers must have either a static IP address or a dynamic DNS hostname to make a connection.
IP Only: Choose this option if this router has a static WAN IP address. The WAN IP address appears automatically.

For the Remote Security Gateway Type, an extra field appears. If you know the IP address of the remote VPN router, choose IP Address, and then enter the address. If you do not know the IP address of the remote VPN router, select IP by DNS Resolved, and then enter the real domain name of the router on the Internet. Cisco RV082 will get the IP address of remote VPN device by DNS Resolved, and IP address of remote VPN device will be displayed in the VPN Status section of the Summary page.
IP + Domain Name (FQDN) Authentication: Choose this option if this router has a static IP address and a registered domain name. Also enter the Domain Name to use for authentication. The domain name can be used only for one tunnel connection.

For the Remote Security Gateway Type, an extra field appears. If you know the IP address of the remote VPN router, choose IP Address, and then enter the address. If you do not know the IP address of the remote VPN router, select IP by DNS Resolved, and then enter the real domain name of the router on the Internet. Cisco RV082 will get the IP address of remote VPN device by DNS Resolved, and IP address of remote VPN device will be displayed in the VPN Status section of the Summary page.
IP + E-mail Addr.(USER FQDN) Authentication: Choose this option if this router has a static IP address and you want to use an email address for authentication. The current WAN IP address appears automatically. Enter any Email Address to use for authentication.

For the Remote Security Gateway Type, an extra field appears. If you know the IP address of the remote VPN router, choose IP Address, and then enter the address. If you do not know the IP address of the remote VPN router, select IP by DNS Resolved, and then enter the real domain name of the router on the Internet. Cisco RV082 will get the IP address of remote VPN device by DNS Resolved, and IP address of remote VPN device will be displayed in the VPN Status section of the Summary page.
Dynamic IP + Domain Name (FQDN) Authentication: Choose this option if this router has a dynamic IP address and a registered Dynamic DNS hostname (available from providers such as DynDNS.com). Enter the Domain Name to use for authentication. The domain name can be used only for one tunnel connection.
Dynamic IP + E-mail Addr.(USER FQDN) Authentication: Choose this option if this router has a dynamic IP address and does not have a Dynamic DNS hostname. Enter any Email Address to use for authentication.

If both routers have dynamic IP addresses (as with PPPoE connections), do not choose Dynamic IP + Email Addr. for both gateways. For the remote gateway, choose IP Address and IP Address by DNS Resolved.
Local/Remote Security Group Type: Specify the LAN resources that can be accessed from this tunnel. The Local Security Group is for this router's LAN resources; the Remote Security Group is for the other router's LAN resources.
IP Address: Choose this option to specify one device. Then enter the IP address of the device. Only this device can be accessed from this tunnel.
Subnet: Choose this option (the default option) to allow all devices on a subnet to be accessed from the VPN tunnel. Then enter the subnetwork IP address and mask.
IP Range: Choose this option to allow a range of devices to be accessed from the VPN tunnel. Then identify the range of IP addresses by entering the first address in the Begin IP field and the final address in the End IP field.

IPSec Setup

Enter the Internet Protocol Security settings for this tunnel. Be sure to enter the same settings when configuring the VPN tunnel on the other router.

IMPORTANT: In order for any encryption to occur, the two ends of a VPN tunnel must agree on the methods of encryption, decryption, and authentication. Enter exactly the same settings on both routers.

Keying Mode: Choose one of the following key management methods:
Manual: Choose this option if you want to generate the key yourself and you do not want to enable key negotiation. Manual key management is used in small static environments or for troubleshooting purposes. Enter the required settings. For information, see Required fields for Manual mode.
IKE with Preshared Key: Choose this option to use the Internet Key Exchange protocol to set up a Security Association (SA) for your tunnel. IKE uses a preshared key to authenticate the remote IKE peer. This setting is recommended and is selected by default. Enter the required settings. For more information, see Required fields for IKE with Preshared Key and Advanced settings for IKE with Preshared Key.
Required fields for Manual mode

Enter the settings for manual mode. Be sure to enter the same settings when configuring other router for this tunnel. The Incoming / Outgoing SPI settings must be mirrored on the other router.
Incoming / Outgoing SPI: The Security Parameter Index is carried in the ESP (Encapsulating Security Payload Protocol) header and enables the receiver and sender to select the security association, under which a packet should be processed. You can enter hexadecimal values from 100~ffffffff. Each tunnel must have a unique Incoming SPI and Outgoing SPI. No two tunnels share the same SPI. The Incoming SPI here must match the Outgoing SPI value at the other end of the tunnel, and vice versa.
Encryption: Select a method of encryption: DES or 3DES. This setting determines the length of the key used to encrypt or decrypt ESP packets. DES is 56-bit encryption and 3DES is 168-bit encryption. 3DES is recommended because it is more secure.
Authentication: Select a method of authentication: MD5 or SHA1. The authentication method determines how the ESP packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA1 is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same authentication method.
Encryption Key: Enter a key to use to encrypt and decrypt IP traffic. If you selected DES encryption, enter 16 hexadecimal values. If you selected 3DES encryption enter 40 hexadecimal values. If you do not enter enough hexadecimal values, then zeroes will be appended to the key to meet the required length.
Authentication Key: Enter a key to use to authenticate IP traffic. If you selected MD5 authentication, enter 32 hexadecimal values. If you selected SHA, enter 40 hexadecimal values. If you do not enter enough hexadecimal values, then zeroes will be appended to the key to meet the required length.
Required fields for IKE with Preshared Key

Enter the settings for Phase 1 and Phase 2. Phase 1 establishes the preshared keys to create a secure authenticated communication channel. In Phase 2, the IKE peers use the secure channel to negotiate Security Associations on behalf of other services such as IPsec. Be sure to enter the same settings when configuring other router for this tunnel.
Phase 1 / Phase 2 DH Group: DH (Diffie-Hellman) is a key exchange protocol. There are three groups of different prime key lengths: Group 1 - 768 bits, Group 2 - 1,024 bits, and Group 5 - 1,536 bits. For faster speed but lower security, choose Group 1. For slower speed but higher security, choose Group 5. Group 1 is selected by default.
Phase 1 / Phase 2 Encryption: Select a method of encryption for this phase: DES, 3DES, AES-128, AES-192, or AES-256. The method determines the length of the key used to encrypt or decrypt ESP packets. AES-256 is recommended because it is more secure.
Phase 1 / Phase 2 Authentication: Select a method of authentication for this phase: MD5 or SHA. The authentication method determines how the ESP (Encapsulating Security Payload Protocol) header packets are validated. MD5 is a one-way hashing algorithm that produces a 128-bit digest. SHA is a one-way hashing algorithm that produces a 160-bit digest. SHA is recommended because it is more secure. Make sure both ends of the VPN tunnel use the same authentication method.
Phase 1 / Phase 2 SA Life Time: Configure the length of time a VPN tunnel is active in this phase. The default value for Phase 1 is 28800 seconds. The default value for Phase 2 is 3600 seconds.
Perfect Forward Secrecy: If the Perfect Forward Secrecy (PFS) feature is enabled, IKE Phase 2 negotiation will generate new key material for IP traffic encryption and authentication, so hackers using brute force to break encryption keys will not be able to obtain future IPSec keys. Check the box to enable this feature, or uncheck the box to disable this feature. This feature is recommended.
Preshared Key: Enter a pre-shared key to use to authenticate the remote IKE peer. You can enter up to 30 keyboard characters and hexadecimal values, such as My_<_at_>123 or 4d795f40313233. Both ends of the VPN tunnel must use the same Preshared Key. It is strongly recommended that you change the Preshared Key periodically to maximize VPN security.
Minimum Preshared Key Complexity: Check the Enable box if you want to enable the Preshared Key Strength Meter.
Preshared Key Strength Meter: If you enable Minimum Preshared Key Complexity, this meter indicates the preshared key strength. As you enter a preshared key, colored bars appear. The scale goes from red (weak) to yellow (acceptable) to green (strong).

TIP: Enter a complex preshared key that includes more than eight characters, upper- and lowercase letters, numbers, and symbols such as -*^+=.
Advanced settings for IKE with Preshared Key

When the Keying Mode is set to IKE with Preshared Key mode, advanced settings are available. For most users, the basic settings should suffice; advanced users can click Advanced + to view the advanced settings. To hide these settings, click Advanced -
Aggressive Mode: Two modes of IKE SA negotiation are possible: Main Mode and Aggressive Mode. If network security is preferred, Main Mode is recommended. If network speed is preferred, Aggressive Mode is recommended. You can adjust this setting if the Remote Security Gateway Type is IP Only or one of the IP + types. Check this box to enable Aggressive Mode, or uncheck the box to disable Aggressive Mode and use Main Mode.

NOTE: If the Remote Security Gateway Type is one of the Dynamic IP types, Aggressive Mode is required. The box is checked automatically, and this setting cannot be changed.
Compress (Support IP Payload Compression Protocol (IP Comp)): IP Comp is a protocol that reduces the size of IP datagrams. Check the box to enable the router to propose compression when it initiates a connection. If the responder rejects this proposal, then the router will not implement compression. When the router works as a responder, it will always accept compression, even if compression is not enabled. If you enable this feature for this router, also enable it on the router at the other end of the tunnel.
Keep-Alive: This feature enables the router to attempt to automatically re-establish the VPN connection if it is dropped. Check the box to enable this feature, or uncheck the box to disable it.
AH Hash Algorithm: The AH (Authentication Header) protocol describes the packet format and default standards for packet structure. With the use of AH as the security protocol, protection is extended forward into the IP header to verify the integrity of the entire packet. Check the box to use this feature. Then select an authentication method: MD5 or SHA1. MD5 produces a 128-bit digest to authenticate packet data. SHA produces a 160-bit digest to authenticate packet data. Both sides of the tunnel should use the same algorithm.
NetBIOS Broadcast: NetBIOS broadcast messages are used for name resolution in Windows networking, to identify resources such as computers, printers, and file servers. These messages are used by some software applications and Windows features such as Network Neighborhood. LAN broadcast traffic is typically not forwarded over a VPN tunnel. However, you can check this box to allow NetBIOS broadcasts from one end of the tunnel to be rebroadcast to the other end.
NAT Traversal: Network Address Translation (NAT) enables users with private LAN addresses to access Internet resources by using a publicly routable IP address as the source address. However, for inbound traffic, the NAT gateway has no automatic method of translating the public IP address to a particular destination on the private LAN. This issue prevents successful IPsec exchanges. If your VPN router is behind a NAT gateway, check this box to enable NAT traversal. Uncheck the box to disable this feature. The same setting must be used on both ends of the tunnel.
Dead Peer Detection (DPD): Check the box to enable the router to send periodic HELLO/ACK messages to check the status of the VPN tunnel. This feature can be used only when it is enabled on both ends of the VPN tunnel. Specify the interval between HELLO/ACK messages (how often you want the messages to be sent).

Tunnel Backup: When DPD determines that the remote peer is unavailable, this feature enables the router to re-establish the VPN tunnel by using either an alternative IP address for the remote peer or an alternative local WAN interface. Check the box to enable this feature. Then enter the settings described below. This feature is available only if Dead Peer Detection is enabled.

Remote Backup IP Address: Specify an alternative IP address for the remote peer, or re-enter the WAN IP address that was already set for the remote gateway.

Local Interface: Choose the WAN interface to use to reestablish the connection.

VPN Tunnel Backup Idle Time: This setting is used when the router boots up. If the primary tunnel is not connected within the specified period, then the backup tunnel is used. The default idle time is 30 seconds.
Split DNS: Split DNS enables the router to send some DNS requests to one DNS server and other DNS requests to another DNS server, based on specified domain names. When the router receives an address resolution request from client, it inspects the domain name. If it matches one of the domain names in the Split DNS settings, then it passes the request to the specified DNS server. Otherwise, the request is passed to the DNS server that is specified in the WAN interface settings. Check the box to enable this feature, or uncheck the box to disable it.

DNS1: Specify the IP address of the DNS server to use for the specified domains. Optionally, specify a secondary DNS server in the DNS2 field.

Domain Name 1 - Domain Name 4: Specify the domain names for these DNS servers. Requests for these domains will be passed to the specified DNS server(s).

Any help would be appreciated.

Thanks,

Scott
  •  
gboguenon

Messages: 8

Karma: 0
Send a private message to this user
Have you been able to get this to work.
I have a kerio firewall behind a fixed public ip address. the other end has a linksys cisco rv042 vpn router sitting behind a dynamic public address.
i have not been able to setup a site to site vpn between the kerio and de rv042 using ipsec. has anyone been able to do this.
Previous Topic: kerio control routing with static ip
Next Topic: Windows RRAS and VPN browsing issues
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 18:34:10 CET 2017

Total time taken to generate the page: 0.00390 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.