Home » Kerio User Forums » Kerio Control » VPN tunnel uses wrong IP (snat does not work for VPN tunnel)
  •  
weidl

Messages: 21
Karma: 0
Send a private message to this user
Hi there,
maybe someone here has any helpful hint:
The firewall (Version 9.2.4) has 5 IP's configured at the WAN: .181, .182, .183, .184, .185

The .184 is the "main" IP in the config, the other ones are additional.
Clients appear with the .184 in the internet.

A configured VPN tunnel uses most of the time the .185 for outside connections, but should use the .184.
Sometimes, by changing anything in the config, the .184 is used. But later the .185 is back.

I tried severall rules to setup source nat for this connection, but nothing works.
It looks like the nat does not work for VPN?

Does any body know, how to bind the VPN tunnel to an IP?

Many thanks
Guenter
  •  
mwgbr

Messages: 40
Karma: 7
Send a private message to this user
Hello Guenter,

I wanted to confirm this. We have the exact same problem.
Because some firewalls from other manufacturers we want to establish a VPN connection with, presume the right IP being used for the tunnel, the connection does not work sometimes.
We also did not find a rule which can avoid this.
  •  
weidl

Messages: 21
Karma: 0
Send a private message to this user
Hi,
thanks for this confirmation!!!
I opened a case at GFI support, and maybe it would be helpful if do this also.
Today they asked for screenshots of the settings Mad

Hopefully they have helpful answer.

Guenter
  •  
cedricl

Messages: 18
Karma: 1
Send a private message to this user
Did you get any feedback on this ?
It would be great to be able to set outgoing IP for VPN.
  •  
weidl

Messages: 21
Karma: 0
Send a private message to this user
I spend some hours with tech support on this and we did a long online session.
It starts like this "Oh, it's simple, you have to setup a rule for snat the tunnel" and end's with "ups, very strange".
Now the support will have a closer look at this.
  •  
weidl

Messages: 21
Karma: 0
Send a private message to this user
Hi cedrici,
I found something out by my self:

It seems that the VPN is using the IP which is defined at the WAN interface, shown with "ifconfig eth0".
And any snat rule is not used!!!

E.G. in my installation:
IP's .181 and .185 are additional at the WAN, and .184 is the default.
eth0 is the WAN interface.
ifconfig eth0 shows .185 at the interface and this is used as outgoing IP with the VPN tunnel.
Removing .185 from the WAN interface, changes eth0 to .181 and now this is used for VPN.
Removing .181 also from WAN, changes eth0 to .184 and VPN is using it.
Now I added .181 and .185 again to WAN and eth0 is still using .184 and VPN is using the correct .184.

Can you confirm this in your installation?

I think the eth0 should use the default IP and it should be possible to define the outgoing IP for active VPN tunnels.
GFI/Kerio support is informed about that, but I got no answer until now.

In my case we changed the VPN to passiv, let the other site initiate the tunnel and everything is fine.

Guenter
  •  
cedricl

Messages: 18
Karma: 1
Send a private message to this user
Hi

Thank you for the update.

Unfortunatly I can try your "fix" right now, as the need is not on my side but a customer, and the problem was "solved" on the other side by allowing different IP to connect.

But did you try rebooting kerio to see if the vpn still uses the right IP ? I remember that rebooting can lead to change the outgoing vpn ip...



Cedric
  •  
weidl

Messages: 21
Karma: 0
Send a private message to this user
Hi Cedric,
I did severall reboots and always the same (wrong) IP was used.
But I remember at the first tests I made some other changes at the VPN setup and saw other IP's at outgoing.
But it was not reproducible.

I am sure that GFI will fix this soon ;-}
Previous Topic: Kerio VPN Client for OS X
Next Topic: 9.2.5 is released?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Dec 12 20:35:19 CET 2018

Total time taken to generate the page: 0.83785 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.