Load balancer from RADIUS configuration

As of LCOS 10.40 your device adds to its existing ability to configure a load balancer via the load balancer's configuration table (see Dynamic load balancing with multiple DSL connections) in that it can now configure a load balancer based on RADIUS attributes for IKEv2 VPN tunnels.

In large-scale VPN scenarios, central configurations with all the necessary parameters of a VPN tunnel are not stored in the device itself; instead, this is outsourced to one or more central RADIUS servers. The aim of this is better scalability and administration. If these scenarios require several inbound IKEv2 VPN tunnels to be combined into a load balancer on the central-site VPN gateway, this can be implemented using additional RADIUS attributes.

The bundled peers of a dynamic load balancer are IKEv2 VPN clients that use RADIUS authorization. A VPN client becomes a part of a dynamic load-balancer cluster if the RADIUS response contains a corresponding RADIUS attribute (LCS-Load-Balancer). This attribute specifies the name of the load balancer cluster and also determines whether to activate client binding (see Client binding).

Note: If this type of VPN connection terminates, the client is removed from its load-balancer cluster. A new connection must be established by the client.

Important: A dynamic load-balancer cluster cannot have the same name as a statically configured cluster, so you cannot mix static and dynamic clients on the same load balancer.

For configuration via a RADIUS server, the syntax of the standard attributes "Framed-Route" and "Framed-IPv6-Route" have been extended to pass on dynamic routes that point to a load balancer. The attribute "LCS-Load-Balancer" ensures that routes used for IKEv2 routing automatically point to the load balancer instead of the dial-in interface.

This feature is also supported with IKEv2 routing. The route on the VPN gateway is then sent dynamically from the remote site instead of being received from the RADIUS server as a Framed-Route attribute. In this case, the RADIUS server only has to send the attribute "LCS-Load-Balancer".

Table 1. RADIUS attributes
ID	Name	Meaning
22	Framed-Route	IPv4 routes that should be entered into the routing table on the VPN gateway in the direction of the client (next-hop client). Format (string): <Prefix> [ifc=<destination interface>] [rtg_tag=<routing tag>] [admin_distance=<distance>] <Prefix> IPv4 address + '/' + prefix length or netmask ifc=<destination interface> Name of the IP interface or a load balancer that the route should point to, or "#Ifc". If no destination interface is specified or it is "#Ifc", the route points to the VPN interface for the respective dial-in client. The interface name can contain up to 16 characters. rtg_tag=<routing tag> Routing tag for the route. If this is not specified, the route is given the tag of the dial-in interface. admin_distance=<distance> Administrative distance of the route as a number from 0 to 255. If not specified, the route is given the default distance for VPN routes.
99	Framed-IPv6-Route	IPv6 routes that should be entered into the routing table on the VPN gateway in the direction of the client (next-hop client). Format (string): <Prefix> [ifc=<destination interface>] [rtg_tag=<routing tag>] [admin_distance=<distance>] <Prefix> IPv6 address + '/’ + prefix length ifc=<destination interface> Name of the IP interface or a load balancer that the route should point to, or "#Ifc". If no destination interface is specified or it is "#Ifc", the route points to the VPN interface for the respective dial-in client. The interface name can contain up to 16 characters. rtg_tag=<routing tag> Routing tag for the route. If this is not specified, the route is given the tag of the dial-in interface. admin_distance=<distance> Administrative distance of the route as a number from 0 to 255. If not specified, the route is given the default distance for VPN routes.
LANCOM 28	LCS load balancer	Format (string): <Load balancer name> [client_binding={no\|yes}] The <load balancer name> can be up to 16 characters long and specifies a load-balancing remote site on the LANCOM routers. Important: This remote site is used for dynamic IKEv2-VPN load balancing and therefore must not be already used for static load balancing under IP router > Load balancing. The option "client_binding" turns the client binding (see Client binding) on or off. Unless otherwise specified, client binding is off. Important: The first IKEv2-VPN client to connect specifies this setting. Any subsequent settings for the client binding in connection with this load-balancing remote site are ignored.

Example: RADIUS attributes for a simple load balancer made up of IKEv2 VPN tunnels to the central site

LCS-Load-Balancer=LB1
Framed-Route=192.168.45.0/24 ifc=LB1;