Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How to Configure a Non-Transparent Virtual Service for Always on VPN IKEv2

 

Information

 

Summary:

Although transparency is recommended for an Always on VPN IKEv2 virtual service, some network environments cannot meet one or more requirement for transparent virtual service. 

Environment:

Product: LoadMaster

Version: 7.2.51 and above

Platform: Any

Application: Always on VPN IKEv2

Question/Problem Description:

Would it be possible to configure a virtual service for Always on VPN IKEv2 without enabling transparency?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

The Routing and Remote Access Service (RRAS) real server cannot meet one or more requirements for a transparent virtual service, such as:

  1. The RS (Real Server) default gateway must be set to the LoadMaster's interface IP address or Shared IP address in case of a High Availability (HA) deployment.
  2. The RS must be local to the LoadMaster.
  3. Clients are on the same subnet as the RS are not able to access the virtual service.
  4. The virtual service cannot be re-encrypted.

More information on transparency can be found in this article here

Resolution:

The virtual service configuration for Always on VPN IKEv2 would be almost identical as described in section 4 of the Always On VPN deployment guide.

However, the Transparency option must be disabled under the "Standard Options" section of the virtual service configuration. 

Once the Transparency option is disabled the RRAS server will only see connections coming from the LoadMaster interface IP address as the source IP and it will no longer see the original client`s source IP address. 

When the LoadMaster forwards the client request to the RRAS server, the RRAS server see all inbound IKEv2 VPN requests coming from the same IP address.

When this happens, clients connecting using IKEv2 may fail to connect, most commonly this occurs when the real server is under moderate to heavy load. This is due to IKEv2 VPN connections using IPsec for encryption, and by default, Windows limits the number of IPsec Security Associations (SAs) coming from a single IP address.

To overcome this limitation a workaround can be implemented on the RRAS server.

Workaround:

The following registry key can be configured to increase the number of established SAs from a single IP address.

Be advised this is only a partial workaround and may not fully eliminate failed IKEv2 connections. There are other settings in Windows that can prevent multiple connections from a single IP address which are not adjustable at this time.

To implement the registry modification, the following PowerShell commands must be run with the administrative privileges on the RRAS server. Repeat these commands on all RRAS servers in the server pool.

New-ItemProperty -Path ‘HKLM:SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters\’ -Name IkeNumEstablishedForInitialQuery -PropertyType DWORD -Value 50000 -Force

Restart-Service IKEEXT -Force -PassThru

 

Note that the RRAS server(s) may need to be restarted. 

Notes: Always On VPN IKEv2 Load Balancing and NAT | Richard M. Hicks Consulting, Inc. (richardhicks.com)

Comments