How to Configure a Non-Transparent Virtual Service for Always on VPN IKEv2
Information
Summary: |
Although transparency is recommended for an Always on VPN IKEv2 virtual service, some network environments cannot meet one or more requirement for transparent virtual service. |
Environment: |
Product: LoadMaster Version: 7.2.51 and above Platform: Any Application: Always on VPN IKEv2 |
Question/Problem Description: |
Would it be possible to configure a virtual service for Always on VPN IKEv2 without enabling transparency? |
Steps to Reproduce: | |
Error Message: | |
Defect Number: | |
Enhancement Number: | |
Cause: |
The Routing and Remote Access Service (RRAS) real server cannot meet one or more requirements for a transparent virtual service, such as:
More information on transparency can be found in this article here. |
Resolution: |
The virtual service configuration for Always on VPN IKEv2 would be almost identical as described in section 4 of the Always On VPN deployment guide. However, the Transparency option must be disabled under the "Standard Options" section of the virtual service configuration. Once the Transparency option is disabled the RRAS server will only see connections coming from the LoadMaster interface IP address as the source IP and it will no longer see the original client`s source IP address. When the LoadMaster forwards the client request to the RRAS server, the RRAS server see all inbound IKEv2 VPN requests coming from the same IP address. When this happens, clients connecting using IKEv2 may fail to connect, most commonly this occurs when the real server is under moderate to heavy load. This is due to IKEv2 VPN connections using IPsec for encryption, and by default, Windows limits the number of IPsec Security Associations (SAs) coming from a single IP address. To overcome this limitation a workaround can be implemented on the RRAS server. |
Workaround: |
The following registry key can be configured to increase the number of established SAs from a single IP address. Be advised this is only a partial workaround and may not fully eliminate failed IKEv2 connections. There are other settings in Windows that can prevent multiple connections from a single IP address which are not adjustable at this time. To implement the registry modification, the following PowerShell commands must be run with the administrative privileges on the RRAS server. Repeat these commands on all RRAS servers in the server pool. New-ItemProperty -Path ‘HKLM:SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters\’ -Name IkeNumEstablishedForInitialQuery -PropertyType DWORD -Value 50000 -Force Restart-Service IKEEXT -Force -PassThru
Note that the RRAS server(s) may need to be restarted. |
Notes: | Always On VPN IKEv2 Load Balancing and NAT | Richard M. Hicks Consulting, Inc. (richardhicks.com) |