Okay, I finally got my VPN working as expected. Straight-in VPN, (not a system to system tunnel).
I've seen a lot of posts here with VPN trouble. Some advanced, some basic. Very few if any responses though. I learned a little about the basics (that I needed) during my trial and error methods and figured I'd relate what I learned here if it can help other newbies.
1st -- The VPN adapter installed with KWF is a router! (yeah, I know, all the gurus are saying "Duh!"). But I wasn't thinking of it that way, which caused me all kinds of misconceptions.
Since it is a router, it is necessary to provide it with two IPs, one for each interface. On the KWF/VPN server PC, you must go into the WINDOWS TCP/IP properties for the KWF-VPN interface and set it to a static private IP that does NOT overlap your existing LAN (I used 10.1.1.1 as shown in the docs). You enter the mask (typically 255.255.255.0) and note that the DNS server must point to itself... (i.e. 10.1.1.1). That's one interface.
Next, you must go into the KWF management console to configure the other VPN interface. Find the VPN interface and provide it with a DIFFERENT NETWORK private address that is NOT one of your existing LAN address spaces and NOT the one you provided to the WINDOWS VPN NIC. I used 172.26.41.0. Set DHCP to hand out however many addresses you like. ALSO, assign DHCP to hand out the DNS servers in your INTERNAL LAN if that is what you are using for internal DNS on your LAN clients.
Make the appropriate FW rules (these are pretty straight forward in the KWF/VPN help files).
This gives you the ability to connect from the Internet via the VPN client to your network and includes the name resolution necessary to map drives by name (assuming you have that capability on the LAN to begin with). .
The only "extra" thing I had to do to permit me to map drives of the actual VPN server itself, was to put my local lan address for the VPN server in each client's HOST file. Remember, your KWF machine has a public IP too. Otherwise, when remote, you would be trying to map your VPN server's public IP (via DNS) rather than the private IP... doesn't work.
If you wanted to print to IP printers on your LAN, you would need to put them in your host file too... unless your internal DNS had records for them (like in Active Directory).
Don't forget to give your KWF-VPN userIDs rights to use VPN! It's not like that by default.
Anyway, hope this helps someone.
[Updated on: Sun, 23 April 2006 05:01]
Frank, how nice of you to share your findings here!
I will take a look at my VPN setup with this information. (All works fine here, except name resolution of internal hosts for VPN connected clients. Seems you cracked that nut
Kerio discussion forums are intended for open communication between forum
members and may contain information and material posted by members which may
be useful in learning about Kerio products. The discussion forums are not
intended to provide technical support for any specific product. Any
information implied or expressed in the discussion forums is that of the
posting member. Kerio is in no way responsible for the information posted in
the forums, or its accuracy. Kerio employees may participate in the
discussions, but their postings do not represent an offical position of the
company on any issues raised or discussed. Kerio reserves the right to
monitor and maintain the forums to promote free and accurate exchange of