beautypg.com

Kerio Tech Firewall6 User Manual

Page 339

background image

23.6 Example of a more complex Kerio VPN configuration

339

Note: For every installation of WinRoute, a stand-alone license for the corresponding num-

ber of users is required! For details see chapter

4

.

2.

Configure and test connection of the local network to the Internet. Hosts in the local net-

work must use the WinRoute host’s IP address as the default gateway and as the primary

DNS server.

If it is a new (clean) WinRoute installation, it is possible to use the traffic rule wizard (refer

to chapter

7.1

).

For detailed description of basic configuration of WinRoute and of the local network, refer

to the Kerio WinRoute Firewall — Step By Step document.

3.

In configuration of DNS Forwarder, set DNS forwarding rules for domains of the other

filials. This enables to access hosts in the remote networks by using their DNS names

(otherwise, it is necessary to specify remote hosts by IP addresses).

To provide correct forwarding of DNS requests from a WinRoute host, it is necessary to

use an IP address of a network device belonging to the host as the primary DNS server. As

a secondary DNS server, a server where DNS requests addressed to other domains will be

forwarded must be specified (typically the ISP’s DNS server).

Note: For proper functionality of DNS, the DNS database must include records for hosts

in a corresponding local network. To achieve this, save DNS names and IP addresses of

local hosts into the hosts file (if they use IP addresses) or enable cooperation of the DNS

Forwarder with the DHCP server (in case that IP addresses are assigned dynamically to

these hosts). For details, see chapter

8.1

.

4.

In the Interfaces section, allow the VPN server and set its SSL certificate if necessary. Note

the fingerprint of the server’s certificate for later use (it will be required for configuration

of the VPN tunnels in the other filials).

Check whether the automatically selected VPN subnet does not collide with any local sub-

net in any filial and select another free subnet if necessary.

Note: With respect to the complexity of this VPN configuration, it is recommended to

reserve three free subnets in advance that can later be assigned to individual VPN servers.

5.

Define the VPN tunnel to one of the remote networks. The passive endpoint of the tunnel

must be created at a server with fixed public IP address. Only active endpoints of VPN

tunnels can be created at servers with dynamic IP address.

Set routing (define custom routes) for the tunnel. Select the Use custom routes only option

and specify all subnets of the remote network in the custom routes list.

If the remote endpoint of the tunnel has already been defined, check whether the tunnel

was created. If not, refer to the Error log, check fingerprints of the certificates and also

availability of the remote server.

6.

Follow the same method to define a tunnel and set routing to the other remote network.