Connecting multiple offices via Kerio VPN and IPsec VPN tunnels
In Kerio Control, you can create both Kerio VPNVirtual private network - A network that enables users connect securely to a private network over the Internet. and IPsecInternet Protocol security - A network protocol used to encrypt and secure data sent over a network. VPN tunnels. The article describes, how to configure routes between those two tunnels so that each host sees all other hosts in all subnets in the network.
The Kerio VPN tunnelKerio Control includes a VPN tunnel which allows to distributed offices to interconnect their offices securely. includes a routing daemon. So, by default, all subnets are visible behind the remote endpoint of the Kerio VPN tunnel. For the IPsec tunnel, you must add all routes manually.
The steps below use the scenario illustrated in the following diagram:
Subnets linked by VPN tunnels
Diagram nodes:
- The Control 1 server is connected with the FW 3 server via IPsec tunnel.
- The Control 1 server is connected with the Control 2 server via Kerio VPN Tunnel.
- The Control 1 server includes LANLocal area network - A network that connects computers and other devices in a small area. 1 and VPN 1 networks.
- The Control 2 server includes LAN 2 and VPN 2 networks.
- The FW 3 server includes LAN 3 and VPN 3 networks.
Configuring the Kerio VPN tunnel
For the initial tunnel configuration between Control 1 and Control 2, see Configuring Kerio VPN Tunnel.
Kerio VPN automatically shares all routes, including the Kerio Control VPN.
Be sure to verify that the tunnel works. For example, send a ping command from a computer connected to LAN 1 to a computer connected to LAN 2, and vice versa.
Also verify that users with VPN clients can ping all computers from LAN 1 and LAN 2.
Configuring the IPsec VPN tunnel
For the initial configuration of the IPsec VPN tunnel, see Configuring IPsec VPN tunnel. When adding remote networks to the Control 1 server, add LAN 3 and VPN 3.
Enabling IPsec VPN tunnel
NOTE
You must also add all Control 1 routes to the FW 3 settings.
Verify that the tunnel works. For example, send a ping command from a computer connected to LAN 1 to a computer connected to LAN 3, and vice versa.
Check also that users with VPN clients can ping all computers from LAN 1 and LAN 3.
Configuring Kerio VPN + IPsec VPN interoperability
Both tunnels work separately at this point. The next step is to ensure that all users can communicate with each other using both tunnels:
- To ensure that the IPsec tunnel knows about LAN 2 and VPN 2, add LAN 2 and VPN 2 to the local networks of the Control 1 server.
- To ensure that LAN 3 and VPN 3 communicate with LAN 2 and VPN 2, configure the remote networks of the Control 2 server.
- To ensure that VPN 1 communicates with LAN 3 and VPN 3, add custom routes in the Kerio VPN server settings.
- On the FW 3 server, add LAN 1, LAN 2, VPN 1 and VPN 2 to remote networks.
