How can we improve Kerio Control?

(more) VPN Parameter changeable via WebGui

Most of our customers are using VPN Connections with "their customers" or HomeOffice workes (both LAN-LAN with most CISCO and AVM FritzBox receivers).

Nearly each VPN connection must be manually edited via changing parameters in winroute.cfg (primarily "ike lifetime" / "dpdaction")

so my wishful thinking:
Make those (or more) VPN Parameters changeable via WebGUI (and thereby changeable without stopping /starting winroute)

77 votes
Vote
Sign in Sign in with GFI
Signed in as (Sign out)
You have left! (?) (thinking…)
Uwe Kortkamp shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

11 comments

Sign in Sign in with GFI
Signed in as (Sign out)
Submitting...
  • Andreas Körber commented  ·   ·  Flag as inappropriate

    Looks like Kerio is adding changeable IPSec values in the GUI with version 9.2.
    There is a beta version available.
    However I have a few suggestions to improve the GUI IPSec values:
    - DH Groups drop down: Please show DH Group in every line like "DH Group 2 (modp1024) „
    - Please make lifetimes in Phase 1 and Phase 2 changeable
    - Please add a possibility to change dead peer detection to on and off

  • Luciano Morales commented  ·   ·  Flag as inappropriate

    Hi Again!

    I´m, trying to setup L2L VPN tunnel with google cloud and because Kerio Control Does not support parameter config from the GUI I´m forced to setup it from Kerio Control Shell, this means that i have to restart Kerio Control service and also this means that the configuration must be done outside office hours.

    We need more control for VPN parameters, maybe in an "advanced settings" tab.

    I cannot tell to google cloud nor vCloud Air cloud that they must adapt my Kerio Control Settings, Kerio control must be adaptable to any situation.

    I have 5 Kerio Control virtual appliances and i have this problem in all of them!

    This is a MUST feature taht we need ASAP!

    BTW: I wasted a support case with this, the "automatic" option does not work!:

    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] selecting proposal:
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] selecting proposal:
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] no acceptable ENCRYPTION_ALGORITHM found
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] selecting proposal:
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
    [05/Oct/2016 12:14:31] {charon} charon: 16[IKE] received 10800s lifetime, configured 3600s
    [05/Oct/2016 12:14:31] {charon} charon: 16[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
    [05/Oct/2016 12:14:31] {charon} charon: 16[ENC] generating INFORMATIONAL_V1 request 3394521165 [ HASH N(NO_PROP) ]
    [05/Oct/2016 12:14:31] {charon} charon: 16[NET] sending packet: from 200.69.225.125[500] to 104.154.69.15[500] (76 bytes)
    [05/Oct/2016 12:14:32] {charon} charon: 08[NET] received packet: from 104.154.69.15[500] to 200.69.225.125[500] (316 bytes)
    [05/Oct/2016 12:14:32] {charon} charon: 08[ENC] parsed QUICK_MODE request 3855708976 [ HASH SA No KE ID ID ]
    [05/Oct/2016 12:14:32] {charon} charon: 08[CFG] looking for a child config for 10.8.0.0/24 === 192.168.81.0/24
    [05/Oct/2016 12:14:32] {charon} charon: 08[CFG] proposing traffic selectors for us:

  • Gary McDonald commented  ·   ·  Flag as inappropriate

    Yes please. The default ciphers are very restrictive and changing the config manually isn't very nice!

  • Andreas Körber commented  ·   ·  Flag as inappropriate

    The Cipher Suites accepted, Life Time, etc. should be changeable via the web gui. And please start to support PFS (Perfect Forward Secrecy).

  • Ken Snyder commented  ·   ·  Flag as inappropriate

    Having these advanced configuration settings in the Web UI would allow for better interoperability with devices/brands that some would consider to be "industry standard". The side-effect of that could be wider adoption of Kerio Control in the marketplace. It would also leverage existing Web UI functionality that allows an administrator to tick the "enable" box in order to start/stop the VPN interface.

  • Luciano Morales commented  ·   ·  Flag as inappropriate

    Need this too!
    I have many problems with L2L VPNs with CISCO ASA, plus if I have to change parameters on Kerio it must be done thru linux Shell and then restart Kerio service.

Feedback and Knowledge Base