Learn PowerShell!
IKEv2 is an IPsec-based VPN protocol with configurable security parameters that allows administrators to ensure the highest level of security for Windows 10 Always On VPN clients. It is the protocol of choice for deployments that require the best possible protection for communication between remote clients and the VPN server. IKEv2 has some unique requirements when it comes to load balancing, however. Because it uses UDP on multiple ports, configuring the load balancer requires some additional steps for proper operation. This article demonstrates how to enable IKEv2 load balancing using the KEMP LoadMaster load balancer.
IKEv2 and NAT
IKEv2 VPN security associations (SAs) begin with a connection to the VPN server that uses UDP port 500. During this initial exchange, if it is determined that the client, server, or both are behind a device performing Network Address Translation (NAT), the connection switches to UDP port 4500 and the connection establishment process continues.
IKEv2 Load Balancing Challenges
Since UDP is connectionless, there’s no guarantee that when the conversation switches from UDP 500 to UDP 4500 that the load balancer will forward the request to the same VPN server on the back end. If the load balancer forwards the UDP 500 session from a VPN client to one real server, then forwards the UDP 4500 session to a different VPN server, the connection will fail. The load balancer must be configured to ensure that both UDP 500 and 4500 from the same VPN client are always forwarded to the same real server to ensure proper operation.
Port Following
To meet this unique requirement for IKEv2 load balancing, it is necessary to use a feature on the KEMP LoadMaster load balancer called “port following”. Enabling this feature will ensure that a VPN client using IKEv2 will always have their UDP 500 and 4500 sessions forwarded to the same real server.
Load Balancing IKEv2
Open the web-based management console and perform the following steps to enable load balancing of IKEv2 traffic on the KEMP LoadMaster load balancer.
Create the Virtual Server
- Expand Virtual Services.
- Click Add New.
- Enter the IP address to be used by the virtual server in the Virtual Address field.
- Enter 500 in the Port field.
- Select UDP from the Protocol drop-down list.
- Click Add this Virtual Service.
Add Real Servers
- Expand Real Servers.
- Click Add New.
- Enter the IP address of the VPN server in the Real Server Address field.
- Click Add This Real Server.
- Repeat the steps above for each VPN server in the cluster.
Repeat all the steps above to create another virtual server using UDP port 4500.
Enable Layer 7 Operation
- Click View/Modify Services below Virtual Services in the navigation tree.
- Select the first virtual server and click Modify.
- Expand Standard Options.
- Uncheck Force L4.
- Select Source IP Address from the Persistence Options drop-down list.
- Choose an appropriate value from the Timeout drop-down list.
- Choose an appropriate setting from the Scheduling Method drop-down list.
- Click Back.
- Repeat these steps on the second virtual server.
Enable Port Following
- Click View/Modify Services below Virtual Services in the navigation tree.
- Select the first virtual server and click Modify.
- Expand Advanced Properties.
- Select the virtual server using UDP 500 from the Port Following drop-down list.
- Click Back.
- Repeat these steps on the second virtual server.
Demonstration Video
The following video demonstrates how to enable IKEv2 load balancing for Windows 10 Always On VPN using the KEMP LoadMaster Load Balancer.
Summary
With the KEMP LoadMaster load balancer configured to use port following, Windows 10 Always On VPN clients using IKEv2 will be assured that their connections will always be delivered to the same back end VPN server, resulting in reliable load balancing for IKEv2 connections.
Additional Information
Windows 10 Always On VPN Certificate Requirements for IKEv2
Windows 10 Always On VPN Protocol Recommendations for Windows Server RRAS
The Windows Server 2016 Routing and Remote Access Service (RRAS) is commonly deployed as a VPN server for Windows 10 Always On VPN deployments. Using RRAS, Always On VPN administrators can take advantage of Microsoft’s proprietary 
Windows 10 Always On VPN is the replacement for Microsoft’s popular DirectAccess remote access solution. It provides the same seamless, transparent, always on remote connectivity as DirectAccess. Where DirectAccess relied heavily on classic on-premises infrastructure such as Active Directory and Group Policy, Always On VPN is infrastructure independent and is designed to be provisioned and managed using a Mobile Device Management (MDM) platform such as Microsoft Intune.
Internet Key Exchange version 2 (IKEv2) is one of the VPN protocols supported for 
DirectAccess has been around for many years, and with Microsoft now moving in the direction of Always On VPN, I’m often asked “What’s the difference between DirectAccess and Always On VPN?” Fundamentally they both provide seamless and transparent, always on remote access. However, Always On VPN has a number of advantages over DirectAccess in terms of security, authentication and management, performance, and supportability.
Windows 10 Always On VPN hands-on training classes now forming. Details 
