Learn PowerShell!
IKEv2 is an IPsec-based VPN protocol with configurable security parameters that allows administrators to ensure the highest level of security for Windows 10 Always On VPN clients. It is the protocol of choice for deployments that require the best possible protection for communication between remote clients and the VPN server. IKEv2 has some unique requirements when it comes to load balancing, however. Because it uses UDP on multiple ports, configuring the load balancer requires some additional steps for proper operation. This article demonstrates how to enable IKEv2 load balancing using the KEMP LoadMaster load balancer.
IKEv2 and NAT
IKEv2 VPN security associations (SAs) begin with a connection to the VPN server that uses UDP port 500. During this initial exchange, if it is determined that the client, server, or both are behind a device performing Network Address Translation (NAT), the connection switches to UDP port 4500 and the connection establishment process continues.
IKEv2 Load Balancing Challenges
Since UDP is connectionless, there’s no guarantee that when the conversation switches from UDP 500 to UDP 4500 that the load balancer will forward the request to the same VPN server on the back end. If the load balancer forwards the UDP 500 session from a VPN client to one real server, then forwards the UDP 4500 session to a different VPN server, the connection will fail. The load balancer must be configured to ensure that both UDP 500 and 4500 from the same VPN client are always forwarded to the same real server to ensure proper operation.
Port Following
To meet this unique requirement for IKEv2 load balancing, it is necessary to use a feature on the KEMP LoadMaster load balancer called “port following”. Enabling this feature will ensure that a VPN client using IKEv2 will always have their UDP 500 and 4500 sessions forwarded to the same real server.
Load Balancing IKEv2
Open the web-based management console and perform the following steps to enable load balancing of IKEv2 traffic on the KEMP LoadMaster load balancer.
Create the Virtual Server
- Expand Virtual Services.
- Click Add New.
- Enter the IP address to be used by the virtual server in the Virtual Address field.
- Enter 500 in the Port field.
- Select UDP from the Protocol drop-down list.
- Click Add this Virtual Service.
Add Real Servers
- Expand Real Servers.
- Click Add New.
- Enter the IP address of the VPN server in the Real Server Address field.
- Click Add This Real Server.
- Repeat the steps above for each VPN server in the cluster.
Repeat all the steps above to create another virtual server using UDP port 4500.
Enable Layer 7 Operation
- Click View/Modify Services below Virtual Services in the navigation tree.
- Select the first virtual server and click Modify.
- Expand Standard Options.
- Uncheck Force L4.
- Select Source IP Address from the Persistence Options drop-down list.
- Choose an appropriate value from the Timeout drop-down list.
- Choose an appropriate setting from the Scheduling Method drop-down list.
- Click Back.
- Repeat these steps on the second virtual server.
Enable Port Following
- Click View/Modify Services below Virtual Services in the navigation tree.
- Select the first virtual server and click Modify.
- Expand Advanced Properties.
- Select the virtual server using UDP 500 from the Port Following drop-down list.
- Click Back.
- Repeat these steps on the second virtual server.
Demonstration Video
The following video demonstrates how to enable IKEv2 load balancing for Windows 10 Always On VPN using the KEMP LoadMaster Load Balancer.
Summary
With the KEMP LoadMaster load balancer configured to use port following, Windows 10 Always On VPN clients using IKEv2 will be assured that their connections will always be delivered to the same back end VPN server, resulting in reliable load balancing for IKEv2 connections.
Additional Information
Windows 10 Always On VPN Certificate Requirements for IKEv2
Windows 10 Always On VPN Protocol Recommendations for Windows Server RRAS
Windows Server Routing and Remote Access Service (RRAS) is commonly used for Windows 10 Always On VPN deployments because it is easy to configure and manage and it includes Microsoft’s proprietary Secure Socket Tunneling Protocol (SSTP). SSTP is a Transport Layer Security (TLS) VPN protocol that is firewall-friendly and ubiquitously available. However, a common configuration mistake can lead to failed connections.
The Windows Server 2016 Routing and Remote Access Service (RRAS) is commonly deployed as a VPN server for Windows 10 Always On VPN deployments. Using RRAS, Always On VPN administrators can take advantage of Microsoft’s proprietary 
With DirectAccess 
Internet Key Exchange version 2 (IKEv2) is one of the VPN protocols supported for 
DirectAccess employs a split tunneling network model by default. In this configuration, only network traffic destined for the internal network (as defined by the administrator) is tunneled over the DirectAccess connection. All other network traffic is routed directly over the Internet.
When configuring Windows 10 Always On VPN using the Routing and Remote Access Service (RRAS) on Windows Server 2012 R2 and Extensible Authentication Protocol (EAP) authentication using client certificates, clients attempting to establish a VPN connection using Internet Key Exchange version 2 (IKEv2) may receive the following error.
I’m pleased to announce that I will be bringing my popular three-day Windows 10 Always On VPN Hands-On Training classes to Denver and New York in May and June! Join me May 15-17, 2018 in Denver or June 5-7, 2018 in New York. These training classes will cover all aspects of designing, implement, and supporting an Always On VPN solution in the enterprise. These three-day courses will cover topics including…
