Always On VPN and IKEv2 Fragmentation

The IKEv2 protocol is a popular choice when designing an Always On VPN solution. When configured correctly it provides the best security compared to other protocols. The protocol is not without some unique challenges, however. IKEv2 is often blocked by firewalls, which can prevent connectivity. Another lesser know issue with IKEv2 is that of fragmentation. This can result in failed connectivity that can be difficult to troubleshoot.

IP Fragmentation

IKEv2 uses UDP for transport, and typically most packets are relatively small. The exception to this is when authentication takes place, especially when using client certificate authentication. The problem is further complicated by long certificate chains and by RSA keys, especially those that are greater than 2048 bit. If the payload exceeds 1500 bytes, the IP packet will have to be broken in to smaller fragments to be sent over the network. If an intermediary device in the path is configured to use a smaller Maximum Transmission Unit (MTU), that device may fragment the IP packets.

IP Fragmentation and Firewalls

Many routers and firewalls are configured to drop IP fragments by default. When this happens, IKEv2 communication may begin initially, but subsequently fail. This typically results in an error code 809 with a message stating the following.

“Can’t connect to [connection name]. The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g. firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.”

Always On VPN and IKEv2 Fragmentation

Troubleshooting

When troubleshooting potential IKEv2 fragmentation-related connection failures, a network trace should be taken of the connection attempt on the client. Observe the packet sizes during the conversation, especially IKE_AUTH packets. Packet sizes exceeding the path MTU will have to be fragmented, as shown here.

Always On VPN and IKEv2 Fragmentation

Measuring Path MTU

Measuring the path MTU between the client and server can be helpful when troubleshooting fragmentation related issues. The mtupath.exe utility is an excellent and easy to use tool for this task. The tool can be downloaded here.

Always On VPN and IKEv2 Fragmentation

IKEv2 Fragmentation

To address the challenges with IP fragmentation and potential connectivity issues associated with network devices dropping fragmented packets, the IKEv2 protocol itself can be configured to perform fragmentation at the IKE layer. This eliminates the need for IP layer fragmentation, resulting in better reliability for IKEv2 VPN connections.

Both the server and the client must support IKEv2 fragmentation for this to occur. Many firewall and VPN vendors include support for IKEv2 fragmentation. Consult the vendor’s documentation for configuration guidance. For Windows Server Routing and Remote Access (RRAS) servers, the feature was first introduced in Windows Server 1803 and is supported in Windows Server 2019. Windows 10 clients support IKEv2 fragmentation beginning with Windows 10 1803.

Enabling IKEv2 Fragmentation

Windows 10 clients support IKEv2 fragmentation by default. However, it must be enabled on the server via the registry. The following PowerShell command will enable IKEv2 fragmentation support on Windows Server 1803 and later.

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\” -Name EnableServerFragmentation -PropertyType DWORD -Value 1 -Force

Validation Testing

Once IKEv2 fragmentation is configured on the VPN server, a network capture will reveal the IKE_SA_INIT packet now includes the IKEV2_FRAGMENTATION_SUPPORTED notification message.

Always On VPN and IKEv2 Fragmentation

Additional Information

Windows 10 Always On VPN IKEv2 Security Configuration

RFC 7383 – IKEv2 Message Fragmentation

IEA Software MTU Path Scan Utility

Windows 10 Always On VPN Hands-On Training Classes

Disable 6to4 IPv6 Transition Protocol for DirectAccess Clients

Introduction

DirectAccess client to server connections are established exclusively over IPv6. To allow for this communication to take place over the public IPv4 Internet, DirectAccess uses IPv6 transition protocols – 6to4, Teredo, and IP-HTTPS – to tunnel IPv6 communication over IPv4. 6to4 is supported when the DirectAccess server is edge facing with a public IPv4 address assigned to its external network interface. Two consecutive public IPv4 addresses are required to support Teredo. IP-HTTPS is used in all scenarios, and exclusively when the DirectAccess server is located in a perimeter or DMZ network behind a NAT device.

6to4 and Teredo Advantages

Not all IPv6 transition protocols are created equal. For Windows 7 clients, 6to4 and Teredo provide significant performance advantages when compared to IP-HTTPS (Windows 8.x clients can use null encryption for IP-HTTPS, which eliminates this performance advantage). 6to4 and Teredo offer nearly identical performance, but 6to4 suffers from some unique challenges and should be disabled by default for all DirectAccess deployments.

Note: IP-HTTPS null encryption is disabled for all clients when client-based remote access VPN or one-time password (OTP) authentication is configured on the DirectAccess server, which can impact performance for Windows 8.x clients using IP-HTTPS.

Unreliable Fallback

The 6to4 IPv6 transition protocol is used when a DirectAccess client has a public IPv4 address assigned to its network interface. 6to4 uses IP protocol 41 for transport, and does not work when the client is behind a NAT. If outbound IP protocol 41 is blocked (a common scenario) then the client should fallback to Teredo or IP-HTTPS. In my experience this doesn’t always happen. In fact, the protocol fallback fails with enough regularity that it is the primary reason I recommend disabling it by default.

Active Directory IP Subnet Assignment

6to4 is also problematic when it comes to configuring Active Directory IP subnets for clients in a multisite DirectAccess deployment. 6to4 addresses begin with the 2002::/16 prefix followed by the IPv4 address of the client represented in hexadecimal using the form WWXX:YYZZ::WWXX:YYZZ. For example, if the DirectAccess client’s public IPv4 address is 198.51.100.83, its 6to4 address would be 2002:c633:6453::c633:6453. Since this IPv6 address is created using only the client’s IPv4 address, there is no way to associate the client to a specific entry point. The administrator is left with assigning the 2002::/16 prefix to the most centrally located AD site. This will undoubtedly result in some DirectAccess clients using domain controllers that are not ideal, which will ultimately lead to slow log on times and mapped drive failures.

Summary

In some deployment scenarios, 6to4 and Teredo offer performance advantages when compared to IP-HTTPS. Performance is identical for both 6to4 and Teredo, and considering the challenges that 6to4 poses, it should be disabled by default for DirectAccess deployments. This eliminates the possibility of associated connectivity issues, while still allowing DirectAccess clients to use the Teredo IPv6 transition protocol and not incur any performance penalty. Details about disabling IPv6 transition protocols can be found here.

%d bloggers like this: