- Kerio WinRoute Firewall Administrator's Guide

21.3 Interconnection of two private networks via the Internet (VPN tunnel)

307

the tunnel).

• Passive — this end of the tunnel will only listen for an incoming connection from

the remote (active) side.

The passive mode is only useful when the local end of the tunnel has a ﬁxed IP

address and when it is allowed to accept incoming connections.

At least one end of each VPN tunnel must be switched to the active mode (passive

servers cannot initialize connection).

Conﬁguration of a remote end of the tunnel

When a VPN tunnel is being created, identity of the remote endpoint is authenti-

cated through the ﬁngerprint of its SSL certiﬁcate. If the ﬁngerprint does not match

with the ﬁngerprint speciﬁed in the conﬁguration of the tunnel, the connection will

be rejected.

The ﬁngerprint of the local certiﬁcate and the entry for speciﬁcation of the remote

ﬁngerprint are provided in the Settings for remote endpoint section. Specify the

ﬁngerprint for the remote VPN server certiﬁcate and vice versa — specify the ﬁn-

gerprint of the local server in the conﬁguration at the remote server.

Figure 21.8 VPN tunnel — certiﬁcate ﬁngerprints

If the local endpoint is set to the active mode, the certiﬁcate of the remote endpoint

and its ﬁngerprint can be downloaded by clicking Detect remote certiﬁcate. Passive

endpoint cannot detect remote certiﬁcate.

However, this method of ﬁngerprint setting is quite insecure —a counterfeit certiﬁ-

cate might be used. If a ﬁngerprint of a false certiﬁcate is used for the conﬁguration

of the VPN tunnel, it is possible to create a tunnel for the false endpoint (for the

attacker). Moreover, a valid certiﬁcate would not be accepted from the other side.

Therefore, for security reasons, it is recommended to set ﬁngerprints manually.