How can we improve Kerio Control?

IPSEC detailed configuration

Option to enter all possible connection details for IPsec tunnels, like ah instead of esp, etc. at least manualy via winroute.cfg, so anybody can fine-tune connection parameters if required for 3rd party HW/SW.

17 votes
Vote
Sign in
Signed in as (Sign out)
You have left! (?) (thinking…)
Radek Štrébl shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

Sign in
Signed in as (Sign out)
Submitting...
  • Luciano Morales commented  ·   ·  Flag as inappropriate

    Hi Again!

    I´m, trying to setup L2L VPN tunnel with google cloud and because Kerio Control Does not support parameter config from the GUI I´m forced to setup it from Kerio Control Shell, this means that i have to restart Kerio Control service and also this means that the configuration must be done outside office hours.

    We need more control for VPN parameters, maybe in an "advanced settings" tab.

    I cannot tell to google cloud nor vCloud Air cloud that they must adapt my Kerio Control Settings, Kerio control must be adaptable to any situation.

    I have 5 Kerio Control virtual appliances and i have this problem in all of them!

    This is a MUST feature taht we need ASAP!

    BTW: I wasted a support case with this, the "automatic" option does not work!:

    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] selecting proposal:
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] selecting proposal:
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] no acceptable ENCRYPTION_ALGORITHM found
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] selecting proposal:
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
    [05/Oct/2016 12:14:31] {charon} charon: 16[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
    [05/Oct/2016 12:14:31] {charon} charon: 16[IKE] received 10800s lifetime, configured 3600s
    [05/Oct/2016 12:14:31] {charon} charon: 16[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
    [05/Oct/2016 12:14:31] {charon} charon: 16[ENC] generating INFORMATIONAL_V1 request 3394521165 [ HASH N(NO_PROP) ]
    [05/Oct/2016 12:14:31] {charon} charon: 16[NET] sending packet: from 200.69.225.125[500] to 104.154.69.15[500] (76 bytes)
    [05/Oct/2016 12:14:32] {charon} charon: 08[NET] received packet: from 104.154.69.15[500] to 200.69.225.125[500] (316 bytes)
    [05/Oct/2016 12:14:32] {charon} charon: 08[ENC] parsed QUICK_MODE request 3855708976 [ HASH SA No KE ID ID ]
    [05/Oct/2016 12:14:32] {charon} charon: 08[CFG] looking for a child config for 10.8.0.0/24 === 192.168.81.0/24
    [05/Oct/2016 12:14:32] {charon} charon: 08[CFG] proposing traffic selectors for us:

  • Ken Snyder commented  ·   ·  Flag as inappropriate

    I believe, at the moment, any advanced configuration requires SSH access along with manual edits to winroute.cfg. Also requires a command line (manual) stop/restart of Control. I don't know for sure if there's a command line method for stopping/starting just the VPN interface.

    Having these advanced configuration settings in the Web UI would allow for better interoperability with devices/brands that some would consider to be "industry standard". It would also leverage existing Web UI functionality that allows an administrator to tick the "enable" box in order to start/stop the VPN interface.

Feedback and Knowledge Base