Example of VPN tunnel configuration

This chapter provides a detailed exemplary description on how to create an encrypted tunnel connecting two private networks using the Kerio VPN. This example can be easily customized.

Note: This example describes a more complicated pattern of VPN with access restrictions for individual local networks and VPN clients. An example of basic VPN configuration is provided in the Kerio WinRoute Firewall Step By Step Configuration document.

Specification

Supposing a company has its headquarters in New York and a branch office in Chicago. We intend to interconnect local networks of the headquarters by a VPN tunnel using the Kerio VPN. VPN clients will be allowed to connect to the headquarters network.

The server (default gateway) of the headquarters uses the public IP address 63.55.21.12 (DNS name is newyork.company.com), the server of the branch office uses a dynamic IP address assigned by DHCP.

The local network of the headquarters consists of two subnets, LAN 1 and LAN 2. The headquarters uses the company.com DNS domain.

The network of the branch office consists of one subnet only (LAN). The branch office filial.company.com.

The following figure provides a scheme of the entire system, including IP addresses and the VPN tunnels that will be built.

Suppose that both networks are already deployed and set according to the figure and that the Internet connection is available.

Traffic between the network of the headquarters, the network of the branch office and VPN clients will be restricted according to the following rules:

  1. VPN clients can connect to the LAN 1 and to the network of the branch office.

  2. Connection to VPN clients is disabled for all networks.

  3. Only the LAN 1 network is available from the branch office. In addition to this, only the WWW, FTP and Microsoft SQL services are available.

  4. No restrictions are applied for connections from the headquarters to the branch office network.

  5. LAN 2 is not available to the branch office network nor to VPN clients.

Headquarters configuration

  1. Install WinRoute (version 6.0.0 or later) at the headquarter's default gateway (server).

  2. Use Network Rules Wizard (see chapter Network Rules Wizard) to configure the basic traffic policy in WinRoute. In step 5, select Yes, I want to use Kerio VPN.

    This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network (with the firewall).

    When the VPN tunnel is created, customize these rules according to the restriction requirements (Step 6).

  3. Customize DNS configuration as follows:

    • In configuration of the DNS Forwarder in WinRoute, specify DNS servers to which DNS queries which are not addressed to the company.com domain will be forwarded (primary and secondary DNS server of the Internet connection provider by default).

    • Enable the Use custom forwarding option and define rules for the filial.company.com domain. To specify the forwarding DNS server, use the IP address of the remote WinRoute host's interface connected to the local network.

    • Set the IP address of this interface (10.1.1.1) as a primary DNS server for the WinRoute host's interface connected to the local network.

    • Set the IP address 10.1.1.1 as a primary DNS server also for the other hosts.

    Note: For proper functionality of DNS, the DNS database must include records for hosts in a corresponding local network. To achieve this, save DNS names and IP addresses of local hosts into the hosts file (if they use IP addresses) or enable cooperation of the DNS Forwarder with the DHCP server (in case that IP addresses are assigned dynamically to these hosts). For details, refer to chapter  DNS Forwarder.

  4. Enable the VPN server and configure its SSL certificate (create a self-signed certificate if no certificate provided by a certification authority is available).

    Note: A free subnet which has been selected is now specified automatically in the VPN network and Mask entries.

    For a detailed description on the VPN server configuration, refer to chapter VPN Server Configuration.

  5. Create a passive end of the VPN tunnel (server of the branch office uses a dynamic IP address). Use the fingerprint of the VPN server of the branch office as a specification of the fingerprint of the remote SSL certificate.

  6. Customize traffic rules according to the restriction requirements.

    • In the Local Traffic rule, remove all items except those belonging to the local network of the company headquarters, i.e. except the firewall and LAN 1 and LAN 2.

    • Define (add) the VPN clients rule which will allow VPN clients to connect to LAN 1 and to the network of the branch office (via the VPN tunnel).

    • Create the Branch office rule which will allow connections to services in LAN 1.

    • Add the Company headquarters rule allowing connections from both headquarters subnets to the branch office network..

    Rules defined this way meet all the restriction requirements. Traffic which will not match any of these rules will be blocked by the default rule (see chapter Definition of Custom Traffic Rules).

Branch office configuration

  1. Install WinRoute (version 6.0.0 or later) at the default gateway of the branch office (server).

  2. Use Network Rules Wizard (see chapter Network Rules Wizard) to configure a basic traffic policy in WinRoute. In step 5, select Yes, I want to use Kerio VPN.

    This step will create rules for connection of the VPN server as well as for communication of VPN clients with the local network (through the firewall).

    When the VPN tunnel is created, customize these rules according to the restriction requirements (Step 6).

  3. Customize DNS configuration as follows:

    • In configuration of the DNS Forwarder in WinRoute, specify DNS servers to which DNS queries which are not addressed to the company.com domain will be forwarded (primary and secondary DNS server of the Internet connection provider by default).

    • Enable the Use custom forwarding option and define rules for the company.com domain. To specify the forwarding DNS server, use the IP address of the remote WinRoute host's interface connected to the local network.

    • Set the IP address of this interface (192.168.1.1) as a primary DNS server for the WinRoute host's interface connected to the local network.

    • Set the IP address 192.168.1.1 as a primary DNS server also for the other hosts.

    Note: For proper functionality of DNS, the DNS database must include records for hosts in a corresponding local network. To achieve this, save DNS names and IP addresses of local hosts into the hosts file (if they use IP addresses) or enable cooperation of the DNS Forwarder with the DHCP server (in case that IP addresses are assigned dynamically to these hosts). For details, refer to chapter  DNS Forwarder.

  4. Enable the VPN server and configure its SSL certificate (create a self-signed certificate if no certificate provided by a certification authority is available).

    Note: A free subnet which has been selected is now specified automatically in the VPN network and Mask entries.

    For detailed description on VPN server configuration, refer to chapter VPN Server Configuration.

  5. Create an active endpoint of the VPN tunnel which will connect to the headquarters server (newyork.company.com). Use the fingerprint of the VPN server of the headquarters as a specification of the fingerprint of the remote SSL certificate.

    At this point, connection should be established (i.e. the tunnel should be created). If connected successfully, the Connected status will be reported in the Adapter info column for both ends of the tunnel. If the connection cannot be established, we recommend you to check the configuration of the traffic rules and test availability of the remote server in our example, the ping newyork.company.com command can be used at the branch office server.

    Note: If a collision of VPN network and the remote network is detected upon creation of the VPN tunnel, select an appropriate free subnet and specify its parameters at the VPN server (see Step 4).

    For detailed information on how to create VPN tunnels, see chapter Interconnection of two private networks via the Internet (VPN tunnel).

  6. Add the new VPN tunnel into the Local Traffic rule. It is also possible to remove the Dial-In interface and the VPN clients group from this rule (VPN clients are not allowed to connect to the branch office).

    Note: It is not necessary to perform any other customization of traffic rules. The required restrictions should be already set in the traffic policy at the server of the headquarters.

VPN test

Configuration of the VPN tunnel has been completed by now. At this point, it is recommended to test availability of the remote hosts from each end of the tunnel (from both local networks).

For example, the ping or/and tracert operating system commands can be used for this testing. It is recommended to test availability of remote hosts both through IP addresses and DNS names.

If a remote host is tested through IP address and it does not respond, check configuration of the traffic rules or/and find out whether the subnets do not collide (i.e. whether the same subnet is not used at both ends of the tunnel).

If an IP address is tested successfully and an error is reported (Unknown host) when a corresponding DNS name is tested, then check configuration of DNS.

Additional Links

Search

Documentation

Authorization

 
Forgot your password?
Register

Subscribe

Subscribe to company news