Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » IPSEC VPN Problem (IPSEC VPN with Kerio Control behind router)
  •  
AndrisGazda

Messages: 12
Karma: 0
Send a private message to this user
Cannot connect from internet to Kerio Control wich is behind Mikrotik RB450G router with IPSEC VPN. I've set the forwardings on router, but still cannot connect, preshared key is the same. As I found on the internet, IPSEC doesn't work when the VPN/authetification server is behind NAT/firewall as in my case. The problem is that VPN access is needed from outside the network, from cell phones, tablets too, where Kerio VPN client cannot be installed this category of devices.



  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
One suggestion is to use your Mikrotik RB450G router in bridge mode and let Kerio Control have the public IP address so no mapping is needed.

M.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
AndrisGazda

Messages: 12
Karma: 0
Send a private message to this user
Thanks, but is not possible because there is implemented the failover switching between the 2 internet connections and also the physical firewall role too.Other problem is that cannot add more network cards in the pc what is used for virtualization for Kerio Control. I don't trust Kerio Control's failover, last time when I tested it the switching back after the primary connection was restored didn't worked.

My question is, what if I set up a VPN server on router and I make a tunnel between Kerio and RB450G ? With this would be possible to access the internal network ? Only access to internal network is needed in secure conditions from VPN clients, no need for accessing the internet thorough VPN.
RB450G can deal with IPSEC, PPTP, PPPoE too.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
1. Have you tried to capture packets on the Control device to verify forwarding is occurring properly?

2. Have you considered setting up a VPN server internally to Control? I use an internal VPN server to handle PPTP (Control doesn't do PPTP) and IPsec. Android, iOS, and Windows phones/tablets support PPTP.

3. Can you post your IPsec forwarding rules on the RB450G?

[Updated on: Fri, 16 August 2013 15:52]

  •  
AndrisGazda

Messages: 12
Karma: 0
Send a private message to this user
I read on Mikrotik forum about that IPSEC is not working if the VPN server is behind router/NAT. How to capture the packets if the router and the virtual machine ar connected directly with cable ?
Thanks a lot for the idea with the internal VPN server !!! I will try to go on this direction. Smile
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
You do need NAT Traversal support for IPsec for that to work. If Mikrotik doesn't support NAT Traversal for IPsec, this will only work if your IPsec VPN connections are in Tunnel mode. I don't believe all of your clients will support that.

The other option is to consider PPTP. It is less secure, but port forwarding is a lot easier.
  •  
AndrisGazda

Messages: 12
Karma: 0
Send a private message to this user
IPSEC-ESP,IPSEC-AH,UDP ports 500,1701,4500,5500

At all the NAT/forwarding settings are the same : General tab- Chain:dst-nat, dst address:public IP (assigned by provider)
Action tab- Action dst-nat, To address:Kerio WAN interface IP address, Port:the same as on General tab
Previous Topic: I need 2 network cards?
Next Topic: RDP from some user does't connect
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 23 00:42:29 CEST 2017

Total time taken to generate the page: 0.00517 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.