beautypg.com

Kerio Tech Firewall6 User Manual

Page 317

background image

23.3 Interconnection of two private networks via the Internet (VPN tunnel)

317

items). To generate the rules automatically, select Yes, I want to use Kerio VPN in Step 5.

For details, see chapter

7.1

.

2.

For access to the Internet, VPN clients use their current Internet connections. VPN clients

are not allowed to connect to the Internet via WinRoute (configuration of default gateway

of clients cannot be defined).

3.

For detailed information about traffic rules, refer to chapter

7

.

23.3 Interconnection of two private networks via the Internet (VPN tunnel)

WinRoute (version 6.0.0 or later) including support for VPN (VPN support is included in the

typical installation — see chapter

2.3

) must be installed in both networks to enable creation

of an encrypted tunnel between a local and a remote network via the Internet (“VPN tunnel”).

Note: Each installation of WinRoute requires its own license (see chapter

4

).

Setting up VPN servers

First, the VPN server must be allowed by the traffic policy and enabled at both ends of the

tunnel. For detailed description on configuration of VPN servers, refer to chapter

23.1

.

Definition of a tunnel to a remote server

VPN tunnel to the server on the other side must be defined at both ends. Use the Add VPN
tunnel option in the Interfaces section to create a new tunnel.

Name of the tunnel

Each VPN tunnel must have a unique name. This name will be used in the table of inter-

faces, in traffic rules (see chapter

7.3

) and interface statistics (details in chapter

20.2

).

Configuration

Selection of a mode for the local end of the tunnel:

Active — this side of the tunnel will automatically attempt to establish and main-

tain a connection to the remote VPN server.

The remote VPN server specification is required through the Remote hostname

or IP address entry.

If the remote VPN server does not use the port 4090,

a corresponding port number separated by a colon must be specified (e.g.

server.company.com:4100

or 10.10.100.20:9000).

This mode is available if the IP address or DNS name of the other side of the

tunnel is known and the remote endpoint is allowed to accept incoming connec-

tions (i.e. the communication is not blocked by a firewall at the remote end of the

tunnel).

Passive — this end of the tunnel will only listen for an incoming connection from

the remote (active) side.