beautypg.com

Kerio Tech Firewall6 User Manual

Page 313

background image

23.1 VPN Server Configuration

313

It is recommended to check whether IP collision is not reported after each change in

configuration of the local network or/and of the VPN!

Warning

1.

Under certain circumstances, collision with the local network might also arise when

a VPN subnet is set automatically (if configuration of the local network is changed

later).

2.

Regarding two VPN tunnels, it is also examined when establishing a connection

whether the VPN subnet does not collide with IP ranges at the other end of the tunnel

(remote endpoint).

If a collision with an IP range is reported upon startup of the VPN server (upon click-

ing Apply in the Interfaces tab), the VPN subnet must be set by hand. Select a network

which is not used by any of the local networks participating in the connection. VPN

subnets at each end of the tunnel must not be identical (two free subnets must be

selected).

3.

VPN clients can also be assigned IP addresses according to login usernames. For

details, see chapter

15.1

.

SSL certificate

Information about the current VPN server certificate. This certificate is used for ver-

ification of the server’s identity during creation of a VPN tunnel (for details, refer to

chapter

23.3

). The VPN server in WinRoute uses the standard SSL certificate.

When defining a VPN tunnel, it is necessary to send the local endpoint’s certificate fin-

gerprint to the remote endpoint and vice versa (mutual verification of identity — see

chapter

23.3

).

Hint

Certificate fingerprint can be saved to the clipboard and pasted to a text file, email mes-

sage, etc.

Click Change SSL Certificate to set parameters for the certificate of the VPN server. For

the VPN server, you can either create a custom (self-subscribed) certificate or import a cer-

tificate created by a certification authority. The certificate created is saved in the sslcert

subdirectory of the WinRoute installation directory as vpn.crt and the particular private

key is saved at the same location as vpn.key.

Methods used for creation and import of SSL certificates are described thoroughly in

chapter

11.1

.

Note: If you already have a certificate created by a certification authority especially for

your server (e.g. for secured Web interface), it is also possible to use it for the VPN server

— it is not necessary to apply for a new certificate.