Kerio Tech Firewall6 User Manual
Page 319
23.3 Interconnection of two private networks via the Internet (VPN tunnel)
319
Figure 23.8
VPN tunnel — certificate fingerprints
If the local endpoint is set to the active mode, the certificate of the remote endpoint and
its fingerprint can be downloaded by clicking Detect remote certificate. Passive endpoint
cannot detect remote certificate.
However, this method of fingerprint setting is quite insecure —a counterfeit certificate
might be used. If a fingerprint of a false certificate is used for the configuration of
the VPN tunnel, it is possible to create a tunnel for the false endpoint (for the attacker).
Moreover, a valid certificate would not be accepted from the other side. Therefore, for
security reasons, it is recommended to set fingerprints manually.
DNS Settings
DNS must be set properly at both sends of the tunnel so that it is possible to connect to hosts
in the remote network using their DNS names. One method is to add DNS records of the hosts
(to the hosts file) at each endpoint. However, this method is quite complicated and inflexible.
If the DNS forwarder in WinRoute is used as the DNS server at both ends of the tunnel, DNS
queries (for DNS rules, refer to chapter
) can be forwarded to hostnames in the correspond-
ing domain of the DNS forwarder at the other end of the tunnel. DNS domain (or subdomain)
must be used at both sides of the tunnel.
Note: To provide correct forwarding of DNS queries sent from the WinRoute host (at any side
of the VPN tunnel), it is necessary that these queries are processed by DNS forwarder. To
secure this, set local IP address as for the DNS server and specify former DNS servers in the
WinRoute’s DNS forwarder.
Detailed guidance for the DNS configuration is provided in chapter
.