All posts in category ADC

Always On VPN IKEv2 Load Balancing with KEMP LoadMaster

Internet Key Exchange version 2 (IKEv2) is an IPsec-based VPN protocol with configurable security parameters that allows administrators to ensure the highest level of security for Windows 10 Always On VPN clients. It is the protocol of choice for deployments that require the best possible protection for communication between remote clients and the VPN server. IKEv2 has some unique requirements when it comes to load balancing, however. Because it uses UDP on multiple ports, configuring the load balancer requires some additional steps for proper operation. This article demonstrates how to enable IKEv2 load balancing using the Kemp LoadMaster load balancer.

IKEv2 and NAT

IKEv2 VPN security associations (SAs) begin with a connection to the VPN server that uses UDP port 500. During this initial exchange, if it is determined that the client, server, or both are behind a device performing Network Address Translation (NAT), the connection switches to UDP port 4500 and the connection establishment process continues.

IKEv2 Load Balancing Challenges

Since UDP is connectionless, there’s no guarantee that when the conversation switches from UDP 500 to UDP 4500 that the load balancer will forward the request to the same VPN server on the back end. If the load balancer forwards the UDP 500 session from a VPN client to one real server, then forwards the UDP 4500 session to a different VPN server, the connection will fail. The load balancer must be configured to ensure that both UDP 500 and 4500 from the same VPN client are always forwarded to the same real server to ensure proper operation.

Port Following

To meet this unique requirement for IKEv2 load balancing, it is necessary to use a feature on the KEMP LoadMaster load balancer called “port following”. Enabling this feature will ensure that a VPN client using IKEv2 will always have their UDP 500 and 4500 sessions forwarded to the same real server.

Load Balancing IKEv2

Open the web-based management console and perform the following steps to enable load balancing of IKEv2 traffic on the KEMP LoadMaster load balancer.

Create the Virtual Server

Expand Virtual Services.
Click Add New.
Enter the IP address to be used by the virtual server in the Virtual Address field.
Enter 500 in the Port field.
Select UDP from the Protocol drop-down list.
Click Add this Virtual Service.

Add Real Servers

Expand Real Servers.
Click Add New.
Enter the IP address of the VPN server in the Real Server Address field.
Click Add This Real Server.
Repeat the steps above for each VPN server in the cluster.

Repeat all the steps above to create another virtual server using UDP port 4500.

Enable Layer 7 Operation

Click View/Modify Services below Virtual Services in the navigation tree.
Select the first virtual server and click Modify.
Expand Standard Options.
Uncheck Force L4.
Check Transparency (additional configuration may be required – details here).
Select Source IP Address from the Persistence Options drop-down list.
Choose an appropriate value from the Timeout drop-down list.
Choose an appropriate setting from the Scheduling Method drop-down list.
Click Back.
Repeat these steps on the second virtual server.

Always On VPN IKEv2 Load Balancing with KEMP LoadMaster

Enable Port Following

Click View/Modify Services below Virtual Services in the navigation tree.
Select the first virtual server and click Modify.
Expand Advanced Properties.
Select the virtual server using UDP 500 from the Port Following drop-down list.
Click Back.
Repeat these steps on the second virtual server.

Demonstration Video

The following video demonstrates how to enable IKEv2 load balancing for Windows 10 Always On VPN using the KEMP LoadMaster Load Balancer.

Summary

With the KEMP LoadMaster load balancer configured to use port following, Windows 10 Always On VPN clients using IKEv2 will be assured that their connections will always be delivered to the same back end VPN server, resulting in reliable load balancing for IKEv2 connections.

Additional Information

Windows 10 Always On VPN Certificate Requirements for IKEv2

Windows 10 Always On VPN Protocol Recommendations for Windows Server RRAS

43 Comments

by Richard M. Hicks on September 17, 2018 • Permalink

Posted by Richard M. Hicks on September 17, 2018

https://directaccess.richardhicks.com/2018/09/17/always-on-vpn-ikev2-load-balancing-with-kemp-loadmaster/

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS) Windows 10 Always On VPN is infrastructure independent and can be implemented using third-party VPN devices. It is not necessary to deploy any Windows servers at all to support an Always On VPN solution. However, in a recent blog post I outlined some compelling reasons to consider using Windows Server’s Routing and Remote Access Service (RRAS) feature to terminate VPN connections. RRAS supports both modern and legacy VPN protocols, each with their own advantages and disadvantages. The choice of which protocols to support will be determined by many factors, but it is important to understand the capabilities of each to make an informed decision.

RRAS VPN Protocols

Windows RRAS supports the following VPN protocols.

Internet Key Exchange version 2 (IKEv2) – RFC7296
Secure Sockets Tunneling Protocol (SSTP) – Microsoft
Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) – RFC2661
Point-to-Point Tunneling Protocol (PPTP) – RFC2637

There are pros and cons associated with each of these VPN protocols. Here’s a breakdown of each.

IKEv2

This IPsec-based VPN protocol is the preferred choice for deployments where the highest level of security is required. The latest version of IKE (v2) features streamlined messaging during connection establishment and enhanced session management that reduce protocol overhead and improve performance.

Advantages: Best security options.
Disadvantages: Firewalls may block required UDP ports.

SSTP

SSTP is an excellent alternative to IKEv2 and is recommended for most deployments. It uses industry standard Transport Layer Security (TLS), making it widely accessible from most locations. It provides good security out of the box but can be improved upon with additional configuration. SSTP lends itself well to load balancing, making it much easier to scale out than IKEv2. Optionally, TLS can be offloaded to an Application Delivery Controller (ADC) to reduce resource utilization on the RRAS server and further improve performance.

Advantages: Easy to configure with firewall friendly access.
Disadvantages: Fewer security options than IKEv2.

L2TP

While technically supported for Always On VPN, L2TP is a legacy VPN protocol that offers no real advantages over IKEv2. Its use is unnecessary and should be avoided.

Advantages: None.
Disadvantages: Firewalls may block required UDP ports.

PPTP

PPTP is considered an obsolete VPN protocol with many known security vulnerabilities. Its use should be avoided at all costs.

Advantages: None.
Disadvantages: Insecure.

Summary

The recommendation is to use SSTP for user-based VPN connections to ensure operational reliability and optimum performance. Use IKEv2 only when the highest level of security is required. Avoid the use of L2TP/IPsec and PPTP at all costs.

Additional Resources

Frequently Asked Questions about Microsoft’s PPTP Implementation

Always On VPN and Windows Server Routing and Remote Access Services (RRAS)

Windows 10 Always On VPN and the Future of DirectAccess

5 Things DirectAccess Administrators Should Know about Always On VPN

3 Important Advantages of Windows 10 Always On VPN over DirectAccess

Windows 10 Always On VPN Hands-On Training Classes

31 Comments

by Richard M. Hicks on January 22, 2018 • Permalink

Posted in ADC, Always On VPN, AOVPN, application delivery controller, Encryption, Load Balancing, Remote Access, Security, SSL and TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016

Tagged Always On VPN, AOVPN, IPsec, L2TP, L2TP/IPsec, Microsoft, performance, PPTP, Remote Access, routing and remote access service, RRAS, security, SSL, SSTP, TLS, transport layer security, UDP, VPN, Windows, Windows 10

Posted by Richard M. Hicks on January 22, 2018

https://directaccess.richardhicks.com/2018/01/22/always-on-vpn-protocol-recommendations-for-windows-server-routing-and-remote-access-service-rras/

DirectAccess Manage Out with ISATAP and NLB Clustering

DirectAccess Manage Out with ISATAP and NLB Clustering DirectAccess connections are bidirectional, allowing administrators to remotely connect to clients and manage them when they are out of the office. DirectAccess clients use IPv6 exclusively, so any communication initiated from the internal network to remote DirectAccess clients must also use IPv6. If IPv6 is not deployed natively on the internal network, the Intrasite Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology can be used to enable manage out.

ISATAP Supportability

According to Microsoft’s support guidelines for DirectAccess, using ISATAP for manage out is only supported for single server deployments. ISATAP is not supported when deployed in a multisite or load-balanced environment.

“Not supported” is not the same as “doesn’t work” though. For example, ISATAP can easily be deployed in single site DirectAccess deployments where load balancing is provided using Network Load Balancing (NLB).

ISATAP Configuration

To do this, you must first create DNS A resource records for the internal IPv4 address for each DirectAccess server as well as the internal virtual IP address (VIP) assigned to the cluster.

DirectAccess Manage Out with ISATAP and NLB Clustering

Note: Do NOT use the name ISATAP. This name is included in the DNS query block list on most DNS servers and will not resolve unless it is removed. Removing it is not recommended either, as it will result in ALL IPv6-enabled hosts on the network configuring an ISATAP tunnel adapter.

Once the DNS records have been added, you can configure a single computer for manage out by opening an elevated PowerShell command window and running the following command:

Set-NetIsatapConfiguration -State Enabled -Router [ISATAP FQDN] -PassThru

Once complete, an ISATAP tunnel adapter network interface with a unicast IPv6 address will appear in the output of ipconfig.exe, as shown here.

Running the Get-NetRoute -AddressFamily IPv6 PowerShell command will show routes to the client IPv6 prefixes assigned to each DirectAccess server.

Finally, verify network connectivity from the manage out host to the remote DirectAccess client.

Note: There is a known issue with some versions of Windows 10 and Windows Server 2016 that may prevent manage out using ISATAP from working correctly. There’s a simple workaround, however. More details can be found here.

Group Policy Deployment

If you have more than a few systems on which to enable ISATAP manage out, using Active Directory Group Policy Objects (GPOs) to distribute these settings is a much better idea. You can find guidance for creating GPOs for ISATAP manage out here.

DirectAccess Client Firewall Configuration

Simply enabling ISATAP on a server or workstation isn’t all that’s required to perform remote management on DirectAccess clients. The Windows firewall running on the DirectAccess client computer must also be configured to securely allow remote administration traffic from the internal network. Guidance for configuring the Windows firewall on DirectAccess clients for ISATAP manage out can be found here.

ISATAP Manage Out for Multisite and ELB

The configuration guidance in this post will not work if DirectAccess multisite is enabled or external load balancers (ELB) are used. However, ISATAP can still be used. For more information about enabling ISATAP manage out with external load balancers and/or multisite deployments, fill out the form below and I’ll provide you with more details.

Summary

Once ISATAP is enabled for manage out, administrators on the internal network can remotely manage DirectAccess clients wherever they happen to be. Native Windows remote administration tools such as Remote Desktop, Windows Remote Assistance, and the Computer Management MMC can be used to manage remote DirectAccess clients. In addition, enterprise administration tools such as PowerShell remoting and System Center Configuration Manger (SCCM) Remote Control can also be used. Further, third-party remote administration tools such as VNC, TeamViewer, LogMeIn, GoToMyPC, Bomgar, and many others will also work with DirectAccess ISATAP manage out.

Additional Information

ISATAP Recommendations for DirectAccess Deployments

DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016

DirectAccess Client Firewall Rule Configuration for ISATAP Manage Out

DirectAccess Manage Out and System Center Configuration Manager (SCCM)

Contact Me

Interested in learning more about ISATAP manage out for multisite and external load balancer deployments? Fill out the form below and I’ll get in touch with you.

3 Comments

by Richard M. Hicks on December 14, 2017 • Permalink

Posted in ADC, DirectAccess, DNS, F5, High Availability, IPv6, IPv6 Transition, Load Balancing, LoadMaster, Manage Out, multisite, Netscaler, Remote Access, transition technology, Windows 10, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on December 14, 2017

https://directaccess.richardhicks.com/2017/12/14/directaccess-manage-out-with-isatap-and-nlb-clustering/

Richard M. Hicks Consulting, Inc.

Awards

Pluralsight

Consulting

Newsletter

All posts in category ADC

Always On VPN IKEv2 Load Balancing with KEMP LoadMaster

IKEv2 and NAT

IKEv2 Load Balancing Challenges

Port Following