Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » IPsec VPN tunnel on the basis of certificates connects and disconnects continuously
  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
Hello

in my test lab ( a server hosting 4 hyper-v virtual machines), i am trying to deploy a simple IPsec VPN tunnel on the basis of certificates. but after all configurations, the VPN tunnel connects and disconnects continuously.

both kerio control are version 9.0

i have exported SSL certificate in PKCS#12 format from kerio1 & imported in kerio2 & vice versa.


My scenario details (Also visio drawing available in post attachment)

LAN1 ip address range: 10.1.1.0/24
first kerio control (in site1) interfaces:
LAN=10.1.1.180/24
WAN= (disconnected)
3rd interface (in other interfaces group) = 192.168.1.180 (is interface connected to site2 's VPN server on which VPN tunnel will be established)
VPN network range (properties on vpn server interface) = 10.180.1.0/24




LAN2 ip address range:=172.20.1.181/24
second Kerio control (in site2) interfaces:
WAN= (disconnected)
3rd interface (in other interfaces group) = 192.168.1.181 (is interface connected to site1 's VPN server on which VPN tunnel will be established)
VPN network range (properties on vpn server interface) = 172.20.181.1.0/24


after creating VPN tunnel, connects and disconnects continuously (it shows connecting , connnected, but again connecting, conected and.....)


in both Kerio controls logs i see the following errors:

in Alert log:

[06/Jan/2016 23:42:59] TUNNELSTATUS(UP) endpoint="192.168.1.181" firewall="Control9" hostip="" hostname="" name="MyTunnel" username=""
[06/Jan/2016 23:43:01] TUNNELSTATUS(DOWN) firewall="Control9" hostip="" hostname="" name="MyTunnel" username=""

in Dial Log :

06/Jan/2016 23:44:52] VPN tunnel 'MyTunnel' connected to 192.168.1.181
[06/Jan/2016 23:44:55] VPN tunnel 'MyTunnel' disconnected from 192.168.1.181, connection time 00:00:03
[06/Jan/2016 23:44:58] VPN tunnel 'MyTunnel' connected to 192.168.1.181
[06/Jan/2016 23:45:03] VPN tunnel 'MyTunnel' disconnected from 192.168.1.181, connection time 00:00:05
[06/Jan/2016 23:45:04] VPN tunnel 'MyTunnel' connected to 192.168.1.181
[06/Jan/2016 23:45:07] VPN tunnel 'MyTunnel' disconnected from 192.168.1.181, connection time 00:00:03
[06/Jan/2016 23:45:10] VPN tunnel 'MyTunnel' connected to 192.168.1.181


in Error log:

[06/Jan/2016 23:49:40] IPsec: Failed to establish connection with remote endpoint 192.168.1.181: Networks or IDs mismatch
[06/Jan/2016 23:49:46] IPsec: Failed to establish connection with remote endpoint 192.168.1.181: Combination of Local Network 10.1.1.0/24 and Remote Network 192.168.1.0/24 not found in configuration
[06/Jan/2016 23:49:46] IPsec: Failed to establish connection with remote endpoint 192.168.1.181: Combination of Local Network 10.1.1.0/24 and Remote Network 172.181.1.0/24 not found in configuration
[06/Jan/2016 23:49:52] IPsec: Failed to establish connection with remote endpoint 192.168.1.181: Combination of Local Network 10.1.1.0/24 and Remote Network 192.168.1.0/24 not found in configuration
[06/Jan/2016 23:49:52] IPsec: Failed to establish connection with remote endpoint 192.168.1.181: Combination of Local Network 10.1.1.0/24 and Remote Network 192.168.1.0/24 not found in configuration
[06/Jan/2016 23:49:52] IPsec: Failed to establish connection with remote endpoint 192.168.1.181: Networks or IDs mismatch
[06/Jan/2016 23:49:58] IPsec: Failed to establish connection with remote endpoint 192.168.1.181: Combination of Local Network 10.1.1.0/24 and Remote Network 192.168.1.0/24 not found in configuration
[06/Jan/2016 23:49:58] IPsec: Failed to establish connection with remote endpoint 192.168.1.181: Combination of Local Network 10.1.1.0/24 and Remote Network 172.181.1.0/24 not found in configuration

please help me where is a fault in my configurations?

thanks in advanced

[Updated on: Tue, 05 January 2016 22:04]

  •  
Brian Carmichael (Kerio)

Messages: 644
Karma: 65
Send a private message to this user
Have you defined the subnet of the remote network in the properties of each VPN tunnel? You might consider specifying one of the endpoints as passive. Make sure that the subnet you assigned to 'LAN 2' does not conflict with the subnet that was automatically generated by the VPN server interface.
Is there a reason you prefer IPsec rather than Kerio VPN? The Kerio VPN is much easier to configure as the routing and certificates are managed automatically.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 05 January 2016 21:40
Have you defined the subnet of the remote network in the properties of each VPN tunnel? You might consider specifying one of the endpoints as passive. Make sure that the subnet you assigned to 'LAN 2' does not conflict with the subnet that was automatically generated by the VPN server interface.
Is there a reason you prefer IPsec rather than Kerio VPN? The Kerio VPN is much easier to configure as the routing and certificates are managed automatically.



Hi.

i am a network trainer and i must teach kerio to my students and i can't bypass this scenario, they will ask me for reason

1) yes i have assigned the subnet of the remote network in the properties of each VPN tunnel:

on the properties of VPN tunnel in kerio 1 , remote networks tab :
172.20.1.0/24

on the properties of VPN tunnel in kerio 2 , remote networks tab :
10.1.1.0/24

2)i specified kerio1 be active & second be passive, but still the same problem ( VPN tunnel gets up & down repeatedly )


if you look at the .png attachment, you see that the subnet i assigned to 'LAN 2' does not conflict with the subnet that was automatically generated by the VPN server interface.

i really wonder, i have adhered all necessary things and my scenario is a fresh clean one with no extra configuration.

would you please have a look at .png attachment and again analyse scenario ?

any furture help ?

thanks in advance


  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
nmm4829 wrote on Tue, 05 January 2016 22:03
Brian Carmichael (Kerio) wrote on Tue, 05 January 2016 21:40
Have you defined the subnet of the remote network in the properties of each VPN tunnel? You might consider specifying one of the endpoints as passive. Make sure that the subnet you assigned to 'LAN 2' does not conflict with the subnet that was automatically generated by the VPN server interface.
Is there a reason you prefer IPsec rather than Kerio VPN? The Kerio VPN is much easier to configure as the routing and certificates are managed automatically.



Hi.

i am a network trainer and i must teach kerio to my students and i can't bypass this scenario, they will ask me for reason

1) yes i have assigned the subnet of the remote network in the properties of each VPN tunnel:

on the properties of VPN tunnel in kerio 1 , remote networks tab :
172.20.1.0/24

on the properties of VPN tunnel in kerio 2 , remote networks tab :
10.1.1.0/24

2)i specified kerio1 be active & second be passive, but still the same problem ( VPN tunnel gets up & down repeatedly )


if you look at the .png attachment, you see that the subnet i assigned to 'LAN 2' does not conflict with the subnet that was automatically generated by the VPN server interface.

i really wonder, i have adhered all necessary things and my scenario is a fresh clean one with no extra configuration.

would you please have a look at .png attachment and again analyse scenario ?

any furture help ?

thanks in advance



  • Attachment: kerio 1.PNG
    (Size: 82.08KB, Downloaded 342 times)
  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
nmm4829 wrote on Tue, 05 January 2016 22:03
Brian Carmichael (Kerio) wrote on Tue, 05 January 2016 21:40
Have you defined the subnet of the remote network in the properties of each VPN tunnel? You might consider specifying one of the endpoints as passive. Make sure that the subnet you assigned to 'LAN 2' does not conflict with the subnet that was automatically generated by the VPN server interface.
Is there a reason you prefer IPsec rather than Kerio VPN? The Kerio VPN is much easier to configure as the routing and certificates are managed automatically.



Hi.

i am a network trainer and i must teach kerio to my students and i can't bypass this scenario, they will ask me for reason

1) yes i have assigned the subnet of the remote network in the properties of each VPN tunnel:

on the properties of VPN tunnel in kerio 1 , remote networks tab :
172.20.1.0/24

on the properties of VPN tunnel in kerio 2 , remote networks tab :
10.1.1.0/24

2)i specified kerio1 be active & second be passive, but still the same problem ( VPN tunnel gets up & down repeatedly )


if you look at the .png attachment, you see that the subnet i assigned to 'LAN 2' does not conflict with the subnet that was automatically generated by the VPN server interface.

i really wonder, i have adhered all necessary things and my scenario is a fresh clean one with no extra configuration.

would you please have a look at .png attachment and again analyse scenario ?

any furture help ?

thanks in advance



  • Attachment: kerio 2.PNG
    (Size: 85.72KB, Downloaded 342 times)
  •  
Brian Carmichael (Kerio)

Messages: 644
Karma: 65
Send a private message to this user
For the local networks I assume you are using the default option to automatically determine local networks, is that correct? Does this same scenario work when using a pre-shared key rather than certificate authentication?

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 05 January 2016 22:20
For the local networks I assume you are using the default option to automatically determine local networks, is that correct? Does this same scenario work when using a pre-shared key rather than certificate authentication?



yes you are correct about automatically determine local networks, so i changed it at both kerio controls.

in kerio control 1, i remove the check mark "use automatically determined local network" and instead i selected "use custom networks" and i added 10.1.1.1 /24

also in kerio control 2, i remove the check mark "use automatically determined local network" and instead i selected "use custom networks" and i added 172.20.1.0 /24

i also selected "pre-shared key" instead of certificate

now the tunnel remains up and is not in connect & disconnect state anymore, but the problem is i can ping client at site2 from client at site 1. this is my tracert result:

C:\>ipconfig

Windows IP Configuration
Ethernet adapter ethernet-10.1.1.10:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::544e:40e0:dbf1:5975%12
IPv4 Address. . . . . . . . . . . : 10.1.1.10
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.1.1.180

^C
C:\>tracert -d 172.20.1.190

Tracing route to 172.20.1.190 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.1.1.180
2 <1 ms <1 ms <1 ms 172.20.1.181
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * ^C

[Updated on: Tue, 05 January 2016 22:35]

  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
i am very unlucky.

i have deployed this simple site-to-site VPN via Microsoft routing and remote access services for years !

newly I've got familiar with Kerio control and i gave up Microsoft TMG for ever & i am very interested in kerio control but unfortunately i am unable to deploy a very simple VPN tunnel scenario !
it is about a week i am struggling with such simple scenario !

Sad

  •  
Brian Carmichael (Kerio)

Messages: 644
Karma: 65
Send a private message to this user
Make sure the host at 172.20.1.190 is configured to use 172.20.1.181 as its default gateway.
As I mentioned before, this scenario is much easier when using Kerio Control VPN, and is the recommended method unless one of the endpoints is not a Kerio Control firewall.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 05 January 2016 22:56
Make sure the host at 172.20.1.190 is configured to use 172.20.1.181 as its default gateway.
As I mentioned before, this scenario is much easier when using Kerio Control VPN, and is the recommended method unless one of the endpoints is not a Kerio Control firewall.



certainly 172.20.1.190 is configured to use 172.20.1.181 as its default gateway.

so i changed the tunnel type to "Kerio VPN" at both firewalls.

at the tunnel properties, remote networks tab, only this cjeckmark is selected :"use routes provided automatically by the remote endpoint".

now the tunnel interface remains UP and connected but now an odd behavior:

from client1 , when i try to ping or tracert to LAN2 client (172.20.1.190), i have the problem which posted for you above:

C:\>tracert -d 172.20.1.190

Tracing route to 172.20.1.190 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.1.1.180
2 <1 ms <1 ms <1 ms 172.20.1.181
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * ^C

but when at LAN 2 client (172.20.1.190), i ping or tracert to LNA1 client (10.1.1.10), it works & every thing is ok and this is the result:


C:\>ipconfig

Windows IP Configuration
Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.20.1.190
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.20.1.181

Tunnel adapter isatap.{E88AA8C4-195B-49B9-9921-33C086D2E4A2}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

C:\>tracert -d 10.1.1.10

Tracing route to 10.1.1.10 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 172.20.1.181
2 1 ms <1 ms <1 ms 172.181.1.2
3 1 ms 1 ms 1 ms 10.1.1.10

Trace complete.


no fault in kerio controls' routing table. i paste an screenshot of both routing tables here :

  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 05 January 2016 22:56
Make sure the host at 172.20.1.190 is configured to use 172.20.1.181 as its default gateway.
As I mentioned before, this scenario is much easier when using Kerio Control VPN, and is the recommended method unless one of the endpoints is not a Kerio Control firewall.



and this is the screenshot of kerio 2 routing table:

  •  
Brian Carmichael (Kerio)

Messages: 644
Karma: 65
Send a private message to this user
Make sure that your traffic rules allow VPN tunnels to communicate with the trusted networks. By default this is allowed by the rule called "Local traffic". In the debug log you can enable the event "Packets dropped for some reason". It might explain if the traffic is blocked somehow.
Also, make sure that the client computer does not have a firewall enabled that might block the ping request.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 05 January 2016 23:35
Make sure that your traffic rules allow VPN tunnels to communicate with the trusted networks. By default this is allowed by the rule called "Local traffic". In the debug log you can enable the event "Packets dropped for some reason". It might explain if the traffic is blocked somehow.
Also, make sure that the client computer does not have a firewall enabled that might block the ping request.



Hi Brian, thanks a lot for investigating on my problem and for the time you spent on my scenario.

default "local traffic rule" exists and is enabled.

no packet is shown in "Packets dropped for some reason"

client's firewall are turned off.

is it possible for you to connect to me via Team viewer to check my configurations yourself ?
  •  
Brian Carmichael (Kerio)

Messages: 644
Karma: 65
Send a private message to this user
I cannot connect to your system, but you can reach our to our support team for this type of assistance. Otherwise I can continue to offer advice through this forum as it might benefit others.
From what I gathered based on your replies, you are able to ping across the tunnel in one direction, so this tells us that the routing works. In the administration of Kerio Control there is a ping utility (under Status -> IP tools). From either firewall can you ping 172.20.1.190?

As another test, from the LAN client at 10.1.1.10 can you ping across the tunnel to the local interface of Kerio Control on the other network (172.20.1.181)

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
nmm4829

Messages: 31
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Wed, 06 January 2016 18:30
I cannot connect to your system, but you can reach our to our support team for this type of assistance. Otherwise I can continue to offer advice through this forum as it might benefit others.
From what I gathered based on your replies, you are able to ping across the tunnel in one direction, so this tells us that the routing works. In the administration of Kerio Control there is a ping utility (under Status -> IP tools). From either firewall can you ping 172.20.1.190?

As another test, from the LAN client at 10.1.1.10 can you ping across the tunnel to the local interface of Kerio Control on the other network (172.20.1.181)



HI again Brian.

i am very happy. lastly i was successful and able to deploy a neat site-to-site VPN via kerio controls.

notes:
we must surely ourselves define local networks
we must not set both endpoints as active

but the main fault:

at LAN2 client (172.20.1.190), i started to capture packets via Microsoft network monitor & i saw that packets reach to this client from 10.1.1.10, so perhaps he can't answer.
In LAN2, my client was a windows 8.1 system & although i have selected "file & printer sharing" in firewall, but when i looked at wf.msc console, i saw an odd behaviour which is "when we properties on firewall rule for inbound icmp request, we see that it has beeen set to from local subnet only. so this was the cause why from LNA1 client, ping or tracert to LAN2 client was unsuccessful. i am very happy now

thanks you very very much for time you spent to help me on my problem.


[Updated on: Sun, 10 January 2016 14:16]

Previous Topic: disable authentication
Next Topic: RAM grow up without any reason
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Apr 26 17:40:46 CEST 2017

Total time taken to generate the page: 0.00797 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.