The Internet Key Exchange version 2 (IKEv2) is the protocol of choice for Always On VPN deployments where the highest level of security is required. Implementing Always On VPN at scale often requires multiple VPN servers to provide sufficient capacity and to provide redundancy. Commonly an Application Delivery Controller (ADC) or load balancer is configured in front of the VPN servers to provide scalability and high availability for Always On VPN.
Load Balancing IKEv2
In a recent post I described some of the unique challenges load balancing IKEv2 poses, and I demonstrated how to configure the Kemp LoadMaster load balancer to properly load balance IKEv2 VPN connections. In this post I’ll outline how to configure IKEv2 VPN load balancing on the F5 BIG-IP load balancer.
Note: This article assumes the administrator is familiar with basic F5 BIG-IP load balancer configuration, such as creating nodes, pools, virtual servers, etc.
Initial Configuration
Follow the steps below to create a virtual server on the F5 BIG-IP to load balance IKEv2 VPN connections.
Pool Configuration
To begin, create two pools on the load balancer. The first pool will be configured to use UDP port 500, and the second pool will be configured to use UDP port 4500. Each pool is configured with the VPN servers defined as the individual nodes.
Virtual Server Configuration
Next create two virtual servers, the first configured to use UDP port 500 and the second to use UDP port 4500.
To ensure reliable connectivity for IKEv2 connections it is necessary for the VPN server to see the client’s original source IP address. When configuring virtual server, select None from the Source Address Translation drop-down list.
Persistence Profile
To ensure that both IKEv2 UDP 500 and 4500 packets are delivered to the same node, follow the steps below to create and assign a Persistence Profile.
1. Expand Local Traffic > Profiles and click Persistence.
2. Click Create.
3. Enter a descriptive name for the profile in the Name field.
4. Select Source Address Affinity from the Persistence Type drop-down list.
5. Click the Custom check box.
6. Select the option to Match Across Services.
7. Click Finished.
Assign the new persistence profile to both UDP 500 and 4500 virtual servers. Navigate to the Resources tab on each virtual server and select the new persistence profile from the Default Persistence Profile drop-down list. Be sure to do this for both virtual servers.
Additional Resources
Windows 10 Always On VPN IKEv2 Load Balancing and NAT
Windows 10 Always On VPN IKEv2 Load Balancing with Kemp LoadMaster Load Balancer
Windows 10 Always On VPN IKEv2 Security Configuration
Windows 10 Always On VPN and IKEv2 Fragmentation
Windows 10 Always On VPN Certificate Requirements for IKEv2
Video: Windows 10 Always On VPN Load Balancing with the Kemp LoadMaster Load Balancer
When Always On VPN clients are configured to use the Secure Socket Tunneling Protocol (SSTP) with Windows Server Routing and Remote Access Service (RRAS), administrators may encounter a scenario in which a client can establish a VPN connection using SSTP successfully, but is then disconnected immediately. The system event log contains an entry with Event ID 6 from the RasSstp source that includes the following error message.
The Windows Server Routing and Remote Access Service (RRAS) is a popular choice for a VPN server to support Windows 10 Always On VPN deployments. One significant advantage RRAS provides is support for the Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary VPN protocol that uses Transport Layer Security (TLS) to ensure privacy between the VPN client and server. The advantage to using a TLS-based transport is that it leverages the standard HTTPS TCP port 443, making it firewall friendly and ensuring ubiquitous remote access even behind highly restrictive firewalls.
