Always On VPN IKEv2 Load Balancing with F5 BIG-IP

Always On VPN IKEv2 Load Balancing with F5 BIG-IPThe Internet Key Exchange version 2 (IKEv2) is the protocol of choice for Always On VPN deployments where the highest level of security is required. Implementing Always On VPN at scale often requires multiple VPN servers to provide sufficient capacity and to provide redundancy. Commonly an Application Delivery Controller (ADC) or load balancer is configured in front of the VPN servers to provide scalability and high availability for Always On VPN.

Load Balancing IKEv2

In a recent post I described some of the unique challenges load balancing IKEv2 poses, and I demonstrated how to configure the Kemp LoadMaster load balancer to properly load balance IKEv2 VPN connections. In this post I’ll outline how to configure IKEv2 VPN load balancing on the F5 BIG-IP load balancer.

Note: This article assumes the administrator is familiar with basic F5 BIG-IP load balancer configuration, such as creating nodes, pools, virtual servers, etc.

Initial Configuration

Follow the steps below to create a virtual server on the F5 BIG-IP to load balance IKEv2 VPN connections.

Pool Configuration

To begin, create two pools on the load balancer. The first pool will be configured to use UDP port 500, and the second pool will be configured to use UDP port 4500. Each pool is configured with the VPN servers defined as the individual nodes.

Always On VPN IKEv2 Load Balancing with F5 BIG-IP

Virtual Server Configuration

Next create two virtual servers, the first configured to use UDP port 500 and the second to use UDP port 4500.

Always On VPN IKEv2 Load Balancing with F5 BIG-IP

Persistence Profile

To ensure that both IKEv2 UDP 500 and 4500 packets are delivered to the same node, follow the steps below to create and assign a Persistence Profile.

1. Expand Local Traffic > Profiles and click Persistence.
2. Click Create.
3. Enter a descriptive name for the profile in the Name field.
4. Select Source Address Affinity from the Persistence Type drop-down list.
5. Click the Custom check box.
6. Select the option to Match Across Services.
7. Click Finished.

Always On VPN IKEv2 Load Balancing with F5 BIG-IP

Assign the new persistence profile to both UDP 500 and 4500 virtual servers. Navigate to the Resources tab on each virtual server and select the new persistence profile from the Default Persistence Profile drop-down list. Be sure to do this for both virtual servers.

Always On VPN IKEv2 Load Balancing with F5 BIG-IP

Additional Resources

Windows 10 Always On VPN IKEv2 Load Balancing with Kemp LoadMaster Load Balancer 

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN and IKEv2 Fragmentation

Windows 10 Always On VPN Certificate Requirements for IKEv2

Video: Windows 10 Always On VPN Load Balancing with the Kemp LoadMaster Load Balancer

Leave a comment

19 Comments

  1. Adam

     /  March 21, 2019

    Hi Richard
    How did you configure your health monitors for IKEV2?

    Reply
  2. Jimmy

     /  April 2, 2019

    Hi Richard,

    Regarding load balancing, is there anyway to load balance Always on without any appliance i.e f5, kemp etc, like using two servers running always on vpn, load balance without any appliance.

    Reply
    • Certainly. You could configure two public IP addresses (one for each VPN server) and then use DNS round robin to load balancer client requests. You could also use Windows Network Load Balancing (NLB).

      Reply
  3. Zack

     /  April 17, 2019

    Thanks for the article. When we set it up we had trouble getting clients to move from one VPN server to the other. We found a couple settings on the F5 that made a difference. By default when creating a server the type is standard (which still allows for the UDP config but didn’t connect even with port settings specified). We had to update it to Performance (Layer 4) and set the Source Address Translation to Auto Map. After that we can move back and forth between two VPN servers easily. Should be great for a DR situation.

    Reply
    • My pleasure! I didn’t go in to the low-level detailed configuration of the F5 in this article, mostly because I expect the administrator will have intimate knowledge of F5 configuration. However, I typically use Performance L4 anyway and wasn’t aware there were issues with failover. Thanks for sharing!

      Reply
  4. Vladislavs Dmuhovskis

     /  October 14, 2019

    Which load balancing method do you advice to use on F5 to balance IKEv2 across 2 RRAS servers.

    Reply
    • I typically use Least Connections (Member) to ensure equal distribution between servers and to speed up convergence after a server is restarted or a new server is added to the pool.

      Reply
  5. Matthew Rawles

     /  November 1, 2019

    Hi Richard,

    We have been struggling with load balancers and always-on, we currently use a Jet Nexus appliance to load balance IKE and SSTP, we have 2000+ configured users.

    After a few days the load balancer stops allowing UDP sessions, random source IPs just cannot connect (SSTP is always ok). Rebooting the real servers fixes this in most cases, sometimes if you change your IP (say you move from ADSL to a mobile hotspot) you can get back in again ok.

    I’ve been trying a KEMP and a BIG-IP load balancer out to replace the JetNexus, i dont have a lot of confidence in their product.

    With the KEMP ive got a similar issue to the Jet, after a while you randomly receive error 809 messages on clients (i have been testing with 40 virtual windows 10 clients sat in a VLAN that NATs into the same subnet as the load balancer (so everything is at gbit speed). I’ve grouped the test clients so when they are translated they have unique public IPs for their group (so 5 or 6 will come from the same source public IP).

    Load balancer is configures single-arm.

    The Windows servers are 2019 and have the IKE fragmnetation reg fix.

    If i distribute the clients over multiple ip addresses i will always get a couple that refuse to connect to the Kemp (but can connect fine to the real server). I’ve opened a case with Kemp on this but they say things like “we dont have many customers load balancing UDP 500/4500”.

    So finally i’ve been trying a BIG-IP from F5, this i managed to get working so all 40 test systems connect, which is great but i’m seeing awful performance (500ms ping times, when the response should be 3ms over this test network).

    With Kemp there are detailed templates and guides to the correct settings to make Always-on behave, i cannot find any guides or examples of the correct settings for the services on F5, do you know of any ?

    Have you seen issues with device VPN users getting 809 errors when you have 100s of clients connecting via a load balancer ? (we typically have about 300-400 at any one time).

    Thanks

    Matthew Rawles
    NHS (UK)

    Reply
    • Can you try setting the following registry value on your RRAS servers and restarting the IKEEXT service please? Here are the PowerShell commands to do this.

      New-ItemProperty -Path ‘HKLM:SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters\’ -Name IkeNumEstablishedForInitialQuery -PropertyType DWORD -Value 50000 -Force
      Restart-Service IKEEXT -Force -PassThru

      Let me know if this solves your problem or not. 🙂

      Reply
      • Matthew Rawles

         /  November 2, 2019

        Hi Richard,

        I’m not sure thats made a difference, (this is testing the Kemp LB), my 40 test clients all initially connect ok.

        Then if i power them down (making sure the RRAS server has no connections showing), change the source IP the clients come from, and power them back up not all of the 40 connect ok (maybe 2 or 3 fail).

        On one failed client, if i move the client to a different network (changing its source IP) the client then connects. Moving it back to the orginal source IP it then refuses to connect (error 809).

        If it is RRAS rejecting the connections is there a way to increase the logging to see this ?

        I’ll put that reg fix on our production (Jet Nexus LB) setup, see if that helps, are their any list of RRAS tweaks like this ?

        I’d also like to get the F5 tets i have working (but unlike Kemp there is nothing i can find online on the best way to configure the F5 LB, no detail, just your helpful summary). Over F5 we seem to get connections ok but the VPN is unusably slow (very high latency). There must be a setting I have wrong on that LB.

        Thanks

        Matthew Rawles

      • It certainly sounds like it is an IPsec issue. Hoping that registry entry makes a different. You can enable debug logging in the RRAS management console which should provide more detail for you. Network traces might be useful too.

      • Matthew Rawles

         /  November 2, 2019

        Hi Richard,

        I just noticed that one of my test RRAS servers only had 2 IKE ports enabled on it, not sure how I missed that, so that may have been the root cause of some of the odd 809 errors.

        i’ll apply your reg fix to our production servers (and I think i’ll increase the number of IKEv2 ports from the 1024 i’d set per server to a much bigger value per server, if these are being held by the LB based UDP connections and Windows isn’t freeing them up that might be why we seem to run out).

        I’ll feed back later this week on how we get on with that.

        Thanks again

        Matthew Rawles

      • Indeed, not having enough VPN ports provisioned could be problematic. Also, it’s a good idea to overpvosion those ports just to be on the safe side. 🙂

  6. Elliot Sandell

     /  November 25, 2019

    Hi Richard, is it possible to use a Citrix Netscaler to Load Balance? Have you any configuration details you could share?

    Thanks

    Elliot (NHS)

    Reply
    • Yes, absolutely. I haven’t documented it yet though. It’s on my list of things to do for sure. Look for that article to be published sometime in the next month or so, hopefully. 🙂

      Reply
  1. Always On VPN IKEv2 Features and Limitations | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: