Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual

Page 286

Advertising
background image

Chapter 23

Kerio VPN

286

later).

2.

Regarding two VPN tunnels, it is also examined when establishing a connection

whether the VPN subnet does not collide with IP ranges at the other end of the tunnel

(remote endpoint).

If a collision with an IP range is reported upon startup of the VPN server (upon click-

ing Apply in the Interfaces tab), the VPN subnet must be set by hand. Select a network

which is not used by any of the local networks participating in the connection. VPN

subnets at each end of the tunnel must not be identical (two free subnets must be

selected).

3.

VPN clients can also be assigned IP addresses according to login usernames. For

details, see chapter

15.1

.

SSL certificate

Information about the current VPN server certificate. This certificate is used for ver-

ification of the server’s identity during creation of a VPN tunnel (for details, refer to

chapter

23.3

). The VPN server in WinRoute uses the standard SSL certificate.

When defining a VPN tunnel, it is necessary to send the local endpoint’s certificate fin-

gerprint to the remote endpoint and vice versa (mutual verification of identity — see

chapter

23.3

).

Hint

Certificate fingerprint can be saved to the clipboard and pasted to a text file, email mes-

sage, etc.

Click Change SSL Certificate to set parameters for the certificate of the VPN server. For

the VPN server, you can either create a custom (self-subscribed) certificate or import a cer-

tificate created by a certification authority. The certificate created is saved in the sslcert

subdirectory of the WinRoute installation directory as vpn.crt and the particular private

key is saved at the same location as vpn.key.

Methods used for creation and import of SSL certificates are described thoroughly in

chapter

11.1

.

Note: If you already have a certificate created by a certification authority especially for

your server (e.g. for secured Web interface), it is also possible to use it for the VPN server

— it is not necessary to apply for a new certificate.

DNS configuration for VPN clients

To allow VPN clients to access to local hosts using the hostnames, they need at least one local

DNS server.

The WinRoute’s VPN server allows for the following options of DNS server configuration:

Use WinRoute as DNS server — IP address of a corresponding interface of WinRoute

host will be used as a DNS server for VPN clients (VPN clients will use the DNS module;

see chapter

8.1

). This is the default option in case that the DNS module is enabled in

WinRoute.

Advertising
Popular Brands
Popular manuals