IKEv2 and NAT
IKEv2 VPN security associations (SAs) begin with a connection to the VPN server that uses UDP port 500. During this initial exchange, if it is determined that the client, server, or both are behind a device performing Network Address Translation (NAT), the connection switches to UDP port 4500 and the connection establishment process continues.
IKEv2 Load Balancing Challenges
Since UDP is connectionless, there’s no guarantee that when the conversation switches from UDP 500 to UDP 4500 that the load balancer will forward the request to the same VPN server on the back end. If the load balancer forwards the UDP 500 session from a VPN client to one real server, then forwards the UDP 4500 session to a different VPN server, the connection will fail. The load balancer must be configured to ensure that both UDP 500 and 4500 from the same VPN client are always forwarded to the same real server to ensure proper operation.
Port Following
To meet this unique requirement for IKEv2 load balancing, it is necessary to use a feature on the KEMP LoadMaster load balancer called “port following”. Enabling this feature will ensure that a VPN client using IKEv2 will always have their UDP 500 and 4500 sessions forwarded to the same real server.
Load Balancing IKEv2
Open the web-based management console and perform the following steps to enable load balancing of IKEv2 traffic on the KEMP LoadMaster load balancer.
Create the Virtual Server
- Expand Virtual Services.
- Click Add New.
- Enter the IP address to be used by the virtual server in the Virtual Address field.
- Enter 500 in the Port field.
- Select UDP from the Protocol drop-down list.
- Click Add this Virtual Service.
Add Real Servers
- Expand Real Servers.
- Click Add New.
- Enter the IP address of the VPN server in the Real Server Address field.
- Click Add This Real Server.
- Repeat the steps above for each VPN server in the cluster.
Repeat all the steps above to create another virtual server using UDP port 4500.
Enable Layer 7 Operation
- Click View/Modify Services below Virtual Services in the navigation tree.
- Select the first virtual server and click Modify.
- Expand Standard Options.
- Uncheck Force L4.
- Check Transparency (additional configuration may be required – details here).
- Select Source IP Address from the Persistence Options drop-down list.
- Choose an appropriate value from the Timeout drop-down list.
- Choose an appropriate setting from the Scheduling Method drop-down list.
- Click Back.
- Repeat these steps on the second virtual server.
Enable Port Following
- Click View/Modify Services below Virtual Services in the navigation tree.
- Select the first virtual server and click Modify.
- Expand Advanced Properties.
- Select the virtual server using UDP 500 from the Port Following drop-down list.
- Click Back.
- Repeat these steps on the second virtual server.
Demonstration Video
The following video demonstrates how to enable IKEv2 load balancing for Windows 10 Always On VPN using the KEMP LoadMaster Load Balancer.
Summary
With the KEMP LoadMaster load balancer configured to use port following, Windows 10 Always On VPN clients using IKEv2 will be assured that their connections will always be delivered to the same back end VPN server, resulting in reliable load balancing for IKEv2 connections.
Additional Information
Windows 10 Always On VPN Certificate Requirements for IKEv2
Windows 10 Always On VPN Protocol Recommendations for Windows Server RRAS