Connecting NG Firewall to Kerio Control via IPsec VPN

Overview

You can enable secure VPN connectivity between a Kerio Control protected network and a network protected by NG Firewall. This type of configuration uses IPsec VPN tunneling.

Setting the inbound network policy

To enable VPN tunneling, the firewall policy for each gateway must permit IPsec traffic.

NG Firewall

For NG Firewall, the default configuration permits incoming IPsec traffic. You can confirm these settings in Config > Network > Advanced > Access Rules.

Kerio Control

To permit incoming IPsec traffic in Kerio Control, go to Configuration > Traffic Rules and enable the default rule named VPN Services.

Configuring the VPN server

NG Firewall

To enable and configure the IPsec VPN server in NG Firewall:

1. In the administration, go to Apps.
2. If the IPsec VPN app does not appear, click Install Apps and select IPsec VPN.
3. Return to Apps and click IPsec VPN to configure the VPN server.
4. In the VPN Config tab, click Enable L2TP/Xauth/IKEv2 Server.
5. Set a value for the IPsec Secret. The IPsec Secret is a password, so it should be complex.
6. For all other values, use the defaults or assign custom parameters as needed.

Kerio Control

To enable and configure the IPsec VPN server in Kerio Control:

1. In the administration, go to Configuration > Interfaces.
2. Edit the VPN server interface.
3. Verify that the IPsec VPN server is enabled.
4. In the IPsec VPN tab, click Use preshared key and enter a password.
5. Click Ok, then Apply.

Creating the VPN tunnel

The IPsec tunnel between both firewall appliances must negotiate the following parameters:

• IPsec secret / Preshared key - A common password assigned to the VPN server
• Local ID - An identifier for the local VPN gateway
• Remote ID - An identifier for the remote VPN gateway
• Remote network - The IP subnet(s) behind the remote VPN gateway
• Local network - The IP subnet(s) behind the local VPN gateway

NG Firewall

To configure VPN tunnel parameters in NG Firewall:

1. Go to the IPsec Tunnel tab in the IPsec VPN app.
2. Click Add.
3. Set a Description for the VPN tunnel.
4. For IKE Version, choose IKEv1.
5. In Remote host, enter the IP address or hostname of the Kerio Control gateway.
6. In Local Identifier, set an easy to remember value (e.g. untangle).
7. In Remote Identifier, set an easy to remember value (e.g. kerio).
8. In Remote network, enter the IP subnet of the network behind the Kerio Control gateway.
9. In Shared Secret, enter the password you set as the preshared key in Kerio Control.
10. Enable Manual Configuration for both Phase 1 and Phase 2.
11. Assign the Encryption as AES128 and the Hash as SHA-1 for both phases to match the corresponding cipher values in Kerio Control.
    
12. Click Done, then Save.

Kerio Control

To configure VPN tunnel parameters in Kerio Control:

1. Go to Configuration > Interfaces.
2. Click Add > VPN Tunnel.
3. Set a Name for the VPN tunnel.
4. Confirm the Type is set to IPsec.
5. Confirm the tunnel is enabled and choose Active.
6. Beneath Active, enter the IP address or hostname of the NG Firewall VPN gateway.
7. In the Authentication tab, choose Preshared key and enter the password you set as the IPsec Secret in NG Firewall.
8. In Local ID, enter the value you set as the Remote Identifier in the corresponding VPN tunnel in NG Firewall.
9. In Remote ID, enter the value you set as the Local Identifier in the corresponding VPN tunnel in NG Firewall.
10. In the Remote Networks tab, click Add and enter the IP subnet of the network behind NG Firewall.
11. Click Ok, then Apply.

Monitoring the VPN tunnel status

After configuring the VPN tunnel, each gateway attempts to connect immediately. In NG Firewall, the VPN connection status appears on the Status tab of the IPsec VPN app.

The VPN connection status in Kerio Control appears in the Interfaces screen.