Chapter 21 Kerio VPN
sions, custom routes are used as prior. This option easily solves the problem where a remote endpoint provides one or more invalid route(s).
•Custom routes only — all routes to remote networks must be set manually at the local endpoint of the tunnel. This alternative eliminates adding of invalid routes provided by a remote endpoint to the local routing table. However, it is quite demanding from the administrator’s point of view (any change in the remote network’s configuration requires modification of custom routes).
Routes provided automatically
Unless any custom routes are defined, the following rules apply to the interchange of routing information:
•default routes as well as routes to networks with default gateways are not exchanged (default gateway cannot be changed for remote VPN clients and/or for remote end- points of a tunnel),
•routes to subnets which are identical for both sides of a tunnel are not exchanged (routing of local and remote networks with identical IP ranges is not allowed).
•other routes (i.e. routes to local subnets at remote ends of VPN tunnels excluding the cases described above, all other VPN and all VPN clients) are exchanged.
Note: As implied from the description provided above, if two VPN tunnels are created, communication between these two networks is possible. The traffic rules can be con- figured so that connection to the local network will be disabled for both these remote networks.
Update of routing tables
Routing information is exchanged:
•when a VPN tunnel is connected or when a VPN client is connected to the server,
•when information in a routing table at any side of the tunnel (or at the VPN server) is changed,
•periodically, once per 30 secs (VPN tunnel) or once per 1 min (VPN client). The timeout starts upon each update (regardless of the update reason).
