Kerio Tech Firewall6 User Manual

Page 318

background image

Chapter 23

Kerio VPN


Figure 23.7

VPN tunnel configuration

The passive mode is only useful when the local end of the tunnel has a fixed IP

address and when it is allowed to accept incoming connections.

At least one end of each VPN tunnel must be switched to the active mode (passive servers

cannot initialize connection).

Configuration of a remote end of the tunnel

When a VPN tunnel is being created, identity of the remote endpoint is authenticated

through the fingerprint of its SSL certificate. If the fingerprint does not match with the

fingerprint specified in the configuration of the tunnel, the connection will be rejected.

The fingerprint of the local certificate and the entry for specification of the remote fin-

gerprint are provided in the Settings for remote endpoint section. Specify the fingerprint

for the remote VPN server certificate and vice versa — specify the fingerprint of the local

server in the configuration at the remote server.