Filter
Top Products
Chapter 21 Kerio VPN
330
Note: For each installation of WinRoute, a separate license for corresponding number
of users is required! For details see chapter 4.
2. Configure and test connection of the local network to the Internet. Hosts in the local
network must use the WinRoute host’s IP address as the default gateway and as the
primary DNS server.
If it is a new (clean) WinRoute installation, it is possible to use the traffic rule wizard
(refer to chapter 6.1).
For detailed description of basic configuration of WinRoute and of the local network,
refer to the Kerio WinRoute Firewall — Step By Step document.
3. In configuration of DNS Forwarder, set DNS forwarding rules for domains of the
other filials. This enables to access hosts in the remote networks by using their DNS
names (otherwise, it is necessary to specify remote hosts by IP addresses).
To provide correct forwarding of DNS requests from a WinRoute host, it is necessary
to use an IP address of a network device belonging to the host as the primary DNS
server. In DNS Forwarder configuration, at least one DNS server must be specified
to which DNS queries for other domains (typically the DNS server of the ISP).
Note: For proper functionality of DNS, the DNS database must include records for
hosts in a corresponding local network. To achieve this, save DNS names and IP
addresses of local hosts into the hosts file (if they use IP addresses) or enable co-
operation of the DNS Forwarder with the DHCP server (in case that IP addresses are
assigned dynamically to these hosts). For details, see chapter
5.3.
4. In the Interfaces section, allow the VPN server and set its SSL certificate if necessary.
Note the fingerprint of the server’s certificate for later use (it will be required for
configuration of the VPN tunnels in the other filials).
Check whether the automatically selected VPN subnet does not collide with any local
subnet in any filial and select another free subnet if necessary.
Note: With respect to the complexity of this VPN configuration, it is recommended
to reserve three free subnets in advance that can later be assigned to individual VPN
servers.
5. Define the VPN tunnel to one of the remote networks. The passive endpoint of the
tunnel must be created at a server with fixed public IP address. Only active endpoints
of VPN tunnels can be created at servers with dynamic IP address.
Set routing (define custom routes) for the tunnel. Select the Use custom routes only
option and specify all subnets of the remote network in the custom routes list.