Always On VPN IKEv2 Load Balancing with Citrix NetScaler ADC

Always On VPN SSTP Load Balancing with Citrix NetScaler ADCThe Internet Key Exchange version 2 (IKEv2) VPN protocol is the protocol of choice when the highest level of security is required for Always On VPN connections. It uses IPsec and features configurable security parameters that allow administrators to adjust policies to meet their specific security requirements. IKEv2 is not without some important limitations, but organizations may insist on the use of IKEv2 to provide the greatest protection possible for remote connected clients. Due to complexities of the IKEv2 transport, special configuration on the Citrix ADC is required when load balancing this workload.

Special Note: In December 2019 a serious security vulnerability was discovered on the Citrix ADC that gives an unauthenticated attacker the ability to arbitrarily execute code on the appliance. As of this writing a fix is not available (due end of January 2020) but a temporary workaround can be found here.

Load Balancing IKEv2

When an Always On VPN client establishes a connection using IKEv2, communication begins on UDP port 500, but switches to UDP port 4500 if Network Address Translation (NAT) is detected in the communication path between the client and the server. Because UDP is connectionless, custom configuration is required to ensure that VPN clients maintain connectivity to the same backend VPN server during this transition.

Initial Configuration

Load balancing IKEv2 using the Citrix ADC is similar to other workloads. Below are specific settings and parameters required to load balance IKEv2 using the Citrix ADC.

Note: This article is not a comprehensive configuration guide for the Citrix ADC. It assumes the administrator is familiar with basic load balancing concepts and has experience configuring the Citrix ADC.

Service Settings

The load balancing services for IKEv2 VPN will use UDP ports 500 and 4500. Create the service group and assign group members for UDP 500 as follows.

Always On VPN IKEv2 Load Balancing with Citrix NetScaler ADC

Always On VPN IKEv2 Load Balancing with Citrix NetScaler ADC

Repeat the steps above to create the service group for UDP port 4500.

Virtual Server Settings

Two virtual servers are required, one for UDP port 500 and one for UDP port 4500. Ensure that the service group using UDP port 500 is bound to the virtual server using the same port.

Always On VPN IKEv2 Load Balancing with Citrix NetScaler ADC

Always On VPN IKEv2 Load Balancing with Citrix NetScaler ADC

Repeat the steps above to create the virtual service for UDP port 4500.

Service Monitoring

Since IKEv2 uses the UDP protocol, the only option for service monitoring is to use PING, which is configured by default. Ensure that the firewall on the VPN server allows inbound ICMPv4 and ICMPv6 Echo Request. The default PING monitor on the Citrix ADC will ping the resource every 5 seconds. If a different interval is required, the administrator can edit the PING monitor and bind that to the service or service group as necessary.

Persistency Group

A Persistency Group on the Citrix ADC will be configured to ensure that IKEv2 VPN client requests from the same client are always routed to the same backend server. Follow the steps below to create a Persistency Group and assign it to both IKEv2 virtual servers created previously.

  1. In the Citrix ADC management console expand Traffic Management > Load Balancing > Persistency Groups.
  2. Click Add.
  3. Enter a descriptive name for the Persistency Group.
  4. Select SOURCEIP from the Persistence drop-down list.
  5. Next to the Virtual Server Name section click the Add button.
  6. Add both previously configured IKEv2 virtual servers for UDP 500 and 4500.
  7. Click Create.

Always On VPN IKEv2 Load Balancing with Citrix NetScaler ADC

Use Client IP

To ensure reliable connectivity for IKEv2 VPN connections it is necessary for the VPN server to see the client’s original source IP address. Follow the steps below to configure the Service Group to forward the client’s IP address to the VPN server.

  1. In the Citrix ADC management console expand System, click Settings, and then click Configure Modes.
  2. Select Use Subnet IP.
  3. Click Ok.Always On VPN IKEv2 Load Balancing and NAT
  4. Expand Traffic Management, click Load Balancing, and then click Service Groups.
  5. Select the IKEv2 UDP 500 Service Group.
  6. Click Edit in the Settings section.
  7. Select Use Client IP.
  8. Repeat these steps on the IKEv2 UDP 4500 Service Group.Always On VPN IKEv2 Load Balancing and NAT

Note: Making the above changes will require configuring the VPN server to use the Citrix ADC as its default gateway.

Additional Information

Windows 10 Always On VPN IKEv2 Load Balancing and NAT

Windows 10 Always On VPN SSTP Load Balancing with Citrix NetScaler ADC

Windows 10 Always On VPN IKEv2 Features and Limitations

Windows 10 AlWAYS On VPN and IKEv2 Fragmentation

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN Certificate Requirements for IKEv2

Leave a comment

13 Comments

  1. Alan

     /  March 13, 2020

    Thanks Richard for doing up the instructions for Citrix / AOVPN / IKEv2. I had originally set this up like what you had but other issues led me to reconfigure with Protocol ANY and ANY port and seems to work ok too. (have a listen policy for udp 500 / 4500 to lock it down a bit).
    One issue we came across is multiple clients sitting behind a single IP (internet breakout) which probably causes havoc for any type of persistent session. Still haven’t fully addressed that but I think that’s more our environment rather than a fault in the product 🙂

    Do you find it worth tweaking any of the Client Timeout settings within the vServer to help AOVPN when any disconnects / reconnects happen. Going to experiment as the way you have approached it allows finer tweaking of the UDP500 connection which would become obsolete once the NAT was detected (or so I am led to believe). Might be worth timing that connection out after 30sec instead of the default 120.
    Anyway Thanks.

    Reply
  2. Aaron

     /  March 31, 2020

    Hi Richard,
    Thanks for all the articles on AlwaysOn. We are currently load balancing our RAS boxes behind a netscaler, but seeing the same issue as was mentioned in the comments of your article about load balancing with a Kemp (RAS servers not liking everything coming from a single IP).

    Without enabling USIP on the netscaler, since we would need to then change the default gateway of the RAS servers, do you know of any way to insert the client ip from the netscaler to the RAS server?

    Thanks.

    Reply
  3. Greg

     /  June 12, 2020

    Hi Richard,
    First of all thanks for all the great articles. When you mention the vpn server will need to have the default gateway set to the ADC does this mean to the ship address or the virtual server?

    Reply
  4. Paddy berger

     /  June 19, 2020

    Hi Richard, not quite sure what is happening but let me try to explain. We had configured a service rather than service group and all was working however on the odd occasion clients would get the 809 error. Decided to try the above method, created the service group and when the tick box “Use Client IP” is selected I get error 809 from the client, unticked and clients can connect. Not sure why though?

    Reply
    • When you select the option to ‘Use Client IP’ on the Citrix NetScaler ADC you also have to change the default gateway on your VPN server to point to the NetScaler’s SNIP. 🙂

      Reply
      • Paddy Berger

         /  June 30, 2020

        Is there any other way of getting that option to work without it having the NetScaler SNIP. We have a netscaler but all it does it push traffic to the firewall. It is the firewall which know about all the routes, dmz, etc. I have already added the regkey but that didn’t really help much.

      • Not sure. You can experiment with other configurations but using the NetScaler SNIP always works.

  1. Always On VPN IKEv2 Load Balancing and NAT | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: