Configuring IPsec VPN tunnel with another device
You can create a secure tunnel between two LANs secured by a firewall.
This article describes creating an IPsecInternet Protocol security - A network protocol used to encrypt and secure data sent over a network. VPN tunnelKerio Control includes a VPN tunnel which allows to distributed offices to interconnect their offices securely. between Kerio Control and another device.
Before you start, read the topic which describes Kerio Control settings. For more information refer to Configuring IPsec VPN tunnel.
Default values in Kerio Control
This section includes default and supported values for IPsec implemented in Kerio Control.
Both endpoints should be able to communicate automatically. If a problem occurs and you have to set the values manually, consult the following tables for default and supported values in Kerio Control.
For more information refer to Configuring ciphers in key exchange (IKE).
The default values are used by Kerio Control. Remote endpoints of the tunnel can also use the supported values.
Phase 1 (IKE):
| Variable | Default values | Supported values | Unsupported values |
|---|---|---|---|
| mode | main | aggressive | |
| remote ID type | hostname | IP addressAn identifier assigned to devices connected to a TCP/IP network. | |
| NATNetwork address translation - A method that remaps IP addresses by changing network address information. traversal | enabled | ||
| ciphersuite (policies) | aes128-sha1-modp2048,3des-sha1-modp1536 | ||
| version | IKEv1 | ||
| DPD timeouts | enabled (150 sec) | ||
| lifetime | 3 hours |
Phase 2 (ESP):
| Variable | Supported values | Unsupported values |
|---|---|---|
| mode | tunnel | transport |
| protocol | ESP | AH |
| ciphersuite (policies) | aes128-sha1, 3des-sha1 | |
| PFS | off | |
| lifetime | 60 mins |
Supported ciphers
Each cipher consists of three parts:
- Encryption Algorithm — for example,
aes128 - Integrity Algorithm — for example,
sha1 - Diffie Hellman Groups — for example,
modp2048
Kerio Control supports the following ciphers:
Phase 1 (IKE) - supported ciphers
| Encyption Algorithms | Integrity Algorithms | Diffie Hellman Groups |
|---|---|---|
|
aes128 or aes (128 bit AES-CBC) aes192 (192 bit AES-CBC) aes256 (256 bit AES-CBC) 3des (168 bit 3DES-EDE-CBC) |
md5 (MD5 HMAC) sha1 or sha (SHA1 HMAC) sha2_256 or sha256 (SHA2_256_128 HMAC) sha2_384 or sha384 (SHA2_384_192 HMAC) sha2_512 or sha512 (SHA2_512_256 HMAC) |
2 (modp1024) 5 (modp1536) 14 (modp2048) 15 (modp3072) 16 (modp4096) 18 (modp8192) 22 (modp1024s160) 23 (modp2048s224) 24 (modp2048s256) |
Phase 2 (ESP) - supported ciphers
| Encyption Algorithms | Integrity Algorithms | Diffie Hellman Groups |
|---|---|---|
|
aes128 or aes (128 bit AES-CBC) aes192 (192 bit AES-CBC) aes256 (256 bit AES-CBC) 3des (168 bit 3DES-EDE-CBC) blowfish256 (256 bit Blowfish-CBC) |
md5 (MD5 HMAC) sha1 or sha (SHA1 HMAC) aesxcbc (AES XCBC) |
none (no PFS) 2 (modp1024) 5 (modp1536) 14 (modp2048) 15 (modp3072) 16 (modp4096) 18 (modp8192) 22 (modp1024s160) 23 (modp2048s224) 24 (modp2048s256) |