Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual

23.5 Example of Kerio VPN configuration: company with a filial office

299

Common method

The following actions must be taken in both local networks (i.e. in the main office and the

filial):

1.

It is necessary that WinRoute in version 6.0.0 or higher (older versions do not include

Kerio VPN) is installed at the default gateway.

Note: For each installation of WinRoute, a separate license for corresponding number of

users is required! For details see chapter

4

.

2.

Configure and test connection of the local network to the Internet. Hosts in the local net-

work must use the WinRoute host’s IP address as the default gateway and as the primary

DNS server.

If it is a new (clean) WinRoute installation, it is possible to use the traffic rule wizard (refer

to chapter

7.1

).

For detailed description of basic configuration of WinRoute and of the local network, refer

to the Kerio WinRoute Firewall — Step By Step document.

3.

In configuration of the DNS module set DNS forwarding rules for the domain in the remote

network. This enables to access hosts in the remote network by using their DNS names

(otherwise, it is necessary to specify remote hosts by IP addresses).

To provide correct forwarding of DNS requests from a WinRoute host, it is necessary to

use an IP address of a network device belonging to the host as the primary DNS server. As

a secondary DNS server, a server where DNS requests addressed to other domains will be

forwarded must be specified (typically the ISP’s DNS server).

Note: For proper functionality of DNS, the DNS database must include records for hosts

in a corresponding local network. To achieve this, save DNS names and IP addresses of

local hosts into the hosts file (if they use IP addresses) or enable cooperation of the DNS

module with the DHCP server (in case that IP addresses are assigned dynamically to these

hosts). For details, see chapter

8.1

.

4.

In the Interfaces section, allow the VPN server and set its SSL certificate if necessary. Note

the fingerprint of the server’s certificate for later use (it will be required for configuration

of the remote endpoint of the VPN tunnel).

Check whether the automatically selected VPN subnet does not collide with any local sub-

net either in the headquarters or in the filial and select another free subnet if necessary.

5.

Define the VPN tunnel to the remote network. The passive endpoint of the tunnel must

be created at a server with fixed public IP address (i.e. at the headquarter’s server). Only

active endpoints of VPN tunnels can be created at servers with dynamic IP address.

If the remote endpoint of the tunnel has already been defined, check whether the tunnel

was created. If not, refer to the Error log, check fingerprints of the certificates and also

availability of the remote server.