Fortigate IPSec VPN site-to-site Kerio Control

Just setup a  static  route-based vpn like that to a ciscoASA

1: set the proposal for what you want ( no multiple  proposal )

2: set the  subnet-type ( LOCAL/REMOTE  need to match the far-end REMOTE/LOCAL )

3: don't expect a lot for support ( Most of the Kerio engineers I meet are fools about IPSEC and the product ) Sad but 100% true.

;(

Here's what I configured after battling keri for over 5 days for a simple or should HAVE been a simple vpn;

config vpn ipsec phase1-interface

    edit "POLKCWIKS"

        set interface "port1"

        set keylife 28800

        set proposal aes128-md5

        set negotiate-timeout 600

        set comments " ******blah--blah****** "

        set npu-offload disable

        set localid "SHAREDKEYID between FGT+KERIO"  

        set localid-type  keyid

        set dhgrp 5

        set remote-gw x.x.x.x

        set psksecret  mystrongpskshared between the 2

    next

config vpn ipsec phase2-interface

    edit "POLPH2-1"

        set phase1name "POLKCWIKS"

        set proposal aes128-md5  

        set dhgrp 5

        set comments "DST SERVERS SUBNET POLICE fl#4"

        set src-subnet 10.94.22.0 255.255.255.255

        set dst-subnet 10.12.1.0 255.255.255.0

    next

end

 The keyid type of  keystring and set-id in the kerio vpnsetup has to match. If you re-set the key-id, flush the   phase1 on both appliances. On the Kerio side just disable the von-tunnel and re-enable after 1min or so.

Good luck.

Ken