Always On VPN IKEv2 Load Balancing with KEMP LoadMaster

Always On VPN IKEv2 Load Balancing with KEMP LoadMasterIKEv2 is an IPsec-based VPN protocol with configurable security parameters that allows administrators to ensure the highest level of security for Windows 10 Always On VPN clients. It is the protocol of choice for deployments that require the best possible protection for communication between remote clients and the VPN server. IKEv2 has some unique requirements when it comes to load balancing, however. Because it uses UDP on multiple ports, configuring the load balancer requires some additional steps for proper operation. This article demonstrates how to enable IKEv2 load balancing using the KEMP LoadMaster load balancer.

IKEv2 and NAT

IKEv2 VPN security associations (SAs) begin with a connection to the VPN server that uses UDP port 500. During this initial exchange, if it is determined that the client, server, or both are behind a device performing Network Address Translation (NAT), the connection switches to UDP port 4500 and the connection establishment process continues.

IKEv2 Load Balancing Challenges

Since UDP is connectionless, there’s no guarantee that when the conversation switches from UDP 500 to UDP 4500 that the load balancer will forward the request to the same VPN server on the back end. If the load balancer forwards the UDP 500 session from a VPN client to one real server, then forwards the UDP 4500 session to a different VPN server, the connection will fail. The load balancer must be configured to ensure that both UDP 500 and 4500 from the same VPN client are always forwarded to the same real server to ensure proper operation.

Port Following

To meet this unique requirement for IKEv2 load balancing, it is necessary to use a feature on the KEMP LoadMaster load balancer called “port following”. Enabling this feature will ensure that a VPN client using IKEv2 will always have their UDP 500 and 4500 sessions forwarded to the same real server.

Load Balancing IKEv2

Open the web-based management console and perform the following steps to enable load balancing of IKEv2 traffic on the KEMP LoadMaster load balancer.

Create the Virtual Server

  1. Expand Virtual Services.
  2. Click Add New.
  3. Enter the IP address to be used by the virtual server in the Virtual Address field.
  4. Enter 500 in the Port field.
  5. Select UDP from the Protocol drop-down list.
  6. Click Add this Virtual Service.

Always On VPN IKEv2 Load Balancing with KEMP LoadMaster

Add Real Servers

  1. Expand Real Servers.
  2. Click Add New.
  3. Enter the IP address of the VPN server in the Real Server Address field.
  4. Click Add This Real Server.
  5. Repeat the steps above for each VPN server in the cluster.

Always On VPN IKEv2 Load Balancing with KEMP LoadMaster

Repeat all the steps above to create another virtual server using UDP port 4500.

Always On VPN IKEv2 Load Balancing with KEMP LoadMaster

Enable Layer 7 Operation

  1. Click View/Modify Services below Virtual Services in the navigation tree.
  2. Select the first virtual server and click Modify.
  3. Expand Standard Options.
  4. Uncheck Force L4.
  5. Select Source IP Address from the Persistence Options drop-down list.
  6. Choose an appropriate value from the Timeout drop-down list.
  7. Choose an appropriate setting from the Scheduling Method drop-down list.
  8. Click Back.
  9. Repeat these steps on the second virtual server.

Always On VPN IKEv2 Load Balancing with KEMP LoadMaster

Enable Port Following

  1. Click View/Modify Services below Virtual Services in the navigation tree.
  2. Select the first virtual server and click Modify.
  3. Expand Advanced Properties.
  4. Select the virtual server using UDP 500 from the Port Following drop-down list.
  5. Click Back.
  6. Repeat these steps on the second virtual server.

Always On VPN IKEv2 Load Balancing with KEMP LoadMaster

Demonstration Video

The following video demonstrates how to enable IKEv2 load balancing for Windows 10 Always On VPN using the KEMP LoadMaster Load Balancer.

Summary

With the KEMP LoadMaster load balancer configured to use port following, Windows 10 Always On VPN clients using IKEv2 will be assured that their connections will always be delivered to the same back end VPN server, resulting in reliable load balancing for IKEv2 connections.

Additional Information

Windows 10 Always On VPN Certificate Requirements for IKEv2

Windows 10 Always On VPN Protocol Recommendations for Windows Server RRAS

Leave a comment

19 Comments

  1. Dhana

     /  September 24, 2019

    Great post, really helps. A quick question – in this guidance, the VPN servers may not see the actual client IP address. Is this the best approach, or can we configure the LBs without replacing the actual client IPs?

    Reply
    • Great observation. Indeed, in this case the load balancer appears as the source IP address to the VPN server, which might be problematic. You can always disable Subnet Originating Reqeusts and enable Transparency on the LoadMaster, which will result in the real IP address being presented as the source IP address to the VPN server. You just need to be mindful of routing and firewall configuration to ensure traffic is handled correctly in this scenario.

      Reply
  2. Matthew Rawles

     /  November 3, 2019

    Hi Richard,

    (i’ve also commented under you BIG-IP Load balancing section)

    I’ve been testing a KEMP Loadmaster with always-on over the last few days and i’m seeing some 809 errors after the Loadmaster has had clients connecting sucessfully for a few days.

    When I orginally reached out I thought the errors were down to the number of IKE ports the real servers had, but they now have 1000s so thats not the issue.

    I’ve been testing with 40 virtual clients and a couple of real users, the virtual clients i’ve moved about (changing the source IP and therefore the real server they get directed to). For 2 days had no issues, managed to load up the clients with a file copy to push 800Mbps through them collectively (something that crashed our orginal Jet Nexus load balancer).

    Then this evening I was unable to connect one of the test laptops with IKE (user was ok). Rebootind the real servers didnt resolve this, rebooting the Load Master fixed it immedaitely.

    The Load Master is configured single-arm, with it’s interface in the same VLAN as the external interfaces of the RRAS servers.

    I’ll go back to Kemp tomorrow, see if they have any ideas, they already made me downgrade to version 7.2.45.2 as the current version 7.2.48 wouldnt allow any UDP VPNs to work!

    I would go back and try the BIG-IP from F5 but that is so poorly documented online, there is no step by step guide to the working always-on setup I can find.

    Regards

    Matthew Rawles

    Reply
    • Yes, I’ve found that the latest LMOS release is causing problems for IKEv2 connections. I’ve made Kemp aware of the issue, so hopefully they’ll be addressing soon!

      Reply
  3. Julien Potier

     /  November 14, 2019

    Hi Richard. Thanks for your article. I spoke to you about a year ago when i was deploying OAVPN for a customer i look after. Back then i was trying to bring some resilience into the design which AOVPN fundamentally lacks. I can’t remember if i tried Kemp but i know i tried a couple of solutions and each time the encrypted throughput when proxied was disappointing. At best i’d get 30-40Mbps max from a single connection whereas i got several hundred Mbps when targeting the server directly. Have you tried doing some throughput test with Kemp ?

    Reply
    • I’ve done some basic performance testing for the Kemp and F5 load balancers and never really noticed a significant drop off in performance. No question any load balancer (the Kemp and F5 included) do impede throughput a little bit, not not substantially in my limited testing. The most impactful in terms of performance is firewalls. Depending on which security features are enabled I’ve seen dramatic reduction in performance.

      Reply
    • Matthew Rawles

       /  November 14, 2019

      Hi Julien,

      I have been testing a KEMP loadmaster this last few weeks and have had the loadmaster up to 800Mbps using multiple clients running looping file copy tasks (the clients are all located in a test virtual environment with >1gb ethernet access to the loadmaster). This was only IKE device VPNs which do seem to perform better.

      It is worth talking to KEMP , they have a number of tweaks to the loadmaster even after you use the template to create the VS (we for example have the IP persistence timeout set to a very large value, currently 8 hours, considering making that 24 hours as we get occasional issues with persistence on test clients).

      Its better to have a more realistic load with multiple clients than one massive client.

      Regards

      Matthew

      Reply
  4. RKast

     /  November 21, 2019

    Hi sir,
    Can we use Windows NLB on 2 RRAS servers in a cluster in Multicast for always on vpn nlb ? What are recommedations for windows nlb and affinity, single ? I have set this up and if i initiate a vpn and get connected to RAS1 then disconnect then turn of RAS1 and initiate VPN again i cannot connect, any idea? I have set udp 500 4500 and 443 in nlb ports am i missing ports?
    Thanks for your reply.

    Reply
    • I don’t have much experience with NLB, so I don’t have a lot of guidance to offer you unfortunately. I would suggest that you use Unicast mode unless you have a very specific reason to use Multicast (for example you’re running in VMware). Other than that, I would think single affinity should work.

      Reply
  1. Always On VPN IKEv2 Security Configuration | Richard M. Hicks Consulting, Inc.
  2. Always On VPN IKEv2 Connection Failure Error Code 800 | Richard M. Hicks Consulting, Inc.
  3. Always On VPN IKEv2 and SSTP Fallback | Richard M. Hicks Consulting, Inc.
  4. Always On VPN and Network Policy Server (NPS) Load Balancing | Richard M. Hicks Consulting, Inc.
  5. Always On VPN IKEv2 Load Balancing with F5 BIG-IP | Richard M. Hicks Consulting, Inc.
  6. Always On VPN IKEv2 Features and Limitations | Richard M. Hicks Consulting, Inc.
  7. Always On VPN Load Balancing Deployment Guide for Kemp Load Balancers | Richard M. Hicks Consulting, Inc.
  8. Always On VPN Load Balancing with Kemp in Azure | Richard M. Hicks Consulting, Inc.
  9. Always On VPN IKEv2 Load Balancing Issue with Kemp LoadMaster | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: