The IKEv2 load balancer allows the distribution of incoming IKEv2 connections to other gateways depending on the current load or number of VPN tunnels. The IKEv2 redirect mechanism is used to achieve this.
Larger-scale VPN scenarios generally operate with redundant VPN gateways. Often, the gateways are are not used evenly, and some gateways are reserved for backup events. The result is a non-uniform resource load across the installation.
With multiple VPN gateways in operation, all of them need to be configured on all of the clients. Particularly when a new VPN gateway is installed, it has to be subsequently configured on all of the clients. With the redirect mechanism (RFC 5685), IKEv2 offers an enhancement that enables a VPN gateway to redirect a client to another gateway.
The IKEv2 redirect mechanism in combination with VRRP provides a highly available IKEv2 load balancer that is suitable for enterprise scenarios.
In the first step, a VRRP group is activated on all participating VPN gateways. The virtual VRRP IP address is at the same time the master IP address of the IKEv2 load balancer cluster. The VPN gateways now exchange information about their load and their availability by means of regular status messages via multicast. If the master goes down, another VPN gateway is automatically set as the master.
The only information the clients need is the master IP address. If a client establishes a VPN connection to this IP address, the master gateway checks the load of the VPN gateways and redirects the client to the gateway with the least load. The master gateway sends a redirect either in the IKE_SA_INIT response or in the IKE Auth phase. The redirect depends on the availability of free VPN tunnels of the participating gateways. The VPN client is directed to the VPN gateway with the lowest number of active tunnels.
The virtual gateway address is only used for the initial contact before the subsequent redirect. The client then establishes the actual VPN tunnel to a different gateway address.
The following limiting conditions must be observed:
- VRRP is required for the automatic selection of the master gateway.
- The VPN gateways involved must have a common layer-2 connection for the VRRP and the exchange of status messages via multicast.
- VRRP is currently supported on LAN interfaces only.
- An upstream router (redundant, if necessary) is required for WAN access.
- The client must support IKEv2 gateway redirect as per RFC 5685 (currently applies to LANCOM routers and the LANCOM Advanced VPN Client on Windows).
- Load balancer enabled
- activates the IKEv2 load balancer.