FlexVPN and Internet Key Exchange Version 2 Configuration Guide, Cisco IOS XE Fuji 16.9.x
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IKEv2 Load Balancer feature provides support for enabling clusters of FlexVPN gateways and distributes incoming Internet
Key Exchange Version 2 (IKEv2) connection requests among FlexVPN gateways. This feature redirects the incoming FlexVPN or
AnyConnect client requests to the least loaded FlexVPN gateway based on the system and crypto load factors.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information,
see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module,
and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to https://cfnng.cisco.com/. An account on Cisco.com is not required.
Prerequisites for IKEv2 Load Balancer
For the server-side configuration, the Hot Standby Router Protocol (HSRP) and FlexVPN server (IKEv2 profile) must be configured.
For the client-side configuration, the FlexVPN client must be configured.
Information About IKEv2 Load Balancer
Overview of IKEv2 Load Balancer
The IKEv2 Load Balancer Support feature provides a Cluster Load Balancing (CLB) solution by redirecting requests from remote
access clients to the Least Loaded Gateway (LLG) in the Hot Standby Router Protocol (HSRP) group or cluster. An HSRP cluster
is a group of gateways or FlexVPN servers in a LAN or in an enterprise network. The CLB solution works with the Internet Key
Exchange Version 2 (IKEv2) redirect mechanism defined in RFC 5685 by redirecting requests to the LLG in the HSRP cluster.
The figure below shows the working of the IKEv2 cluster load balancing solution.
An active HSRP gateway is elected as “primary” in the HSRP group and takes ownership of the Virtual IP address (VIP) for the
group. The primary maintains a list of gateways in the cluster, keeps track of the load on each gateway, and redirects the
FlexVPN client requests to the LLG.
The remaining gateways, termed as “subordinates,” send load updates to the primary at periodic intervals.
When an IKEv2 client connects to the HSRP VIP, the request first reaches the primary, which in turn, redirects the request
to the LLG in the cluster.
The components of the CLB solution are as follows:
HSRP
CLB primary
CLB subordinate
CLB communication
IKEv2 redirects mechanism
Hot Standby Router Protocol
Hot Standby Router Protocol (HSRP) is used to elect the primary HSRP or Active Router (AR). For HSRP to elect a designated
device, you must configure the VIP for one device in the group. This address is learned by other devices in the group. The
IP address that is assigned to the primary is used as the VIP for the group. The HSRP active router (also called primary CLB)
receives the IKEv2 requests and redirects these requests to the LLG in the cluster. The redirection is performed at the IKEv2
protocol level thereby achieving the following:
All requests from the FlexVPN client reach the primary HSRP as the VIP is configured on the FlexVPN clients. The configuration
of FlexVPN clients is minimized because the FlexVPN clients must only know the VIP of the HSRP cluster.
The primary CLB is run on the same gateway as the primary HSRP, thereby maintaining the load information of all subordinate
CLBs. The primary CLB enables effective redirection of requests and avoids multiple redirects and loops.
Primary CLB
A primary CLB runs on the primary HSRP or Active Router (AR). The primary receives updates from subordinate CLBs and sorts
them based on their load condition to calculate the least loaded gateway (LLG). The primary sends the IP address of the LLG
to IKEv2 (on the FlexVPN server). The IP address is sent to the initiator (FlexVPN client), which initiates an IKEv2 session
with the LLG. The primary redirects incoming IKEv2 client connections towards the LLG. For more information, see section “IKEv2 Redirect Mechanism.”
Note
“CLB nodes” are used where both a primary CLB and CLB subordinate must be specified.
Subordinate CLB
A CLB subordinate runs on all devices in an HSRP group except on the Active Router (AR). The subordinates are responsible
for sending periodic load updates to the server. A CLB subordinate is a fully functional IKEv2 gateway which supplies information
to the primary CLB. Apart from updates, CLB subordinates send messages for aliveness assurance to the primary CLB.
CLB Load Management Mechanism
The CLB Load Management Mechanism is a TCP-based protocol that runs between the primary CLB and the CLB subordinates. The
CLB load management mechanism informs the primary CLB about the load on the CLB subordinates. Based on this information, the
primary CLB selects the LLG to handle the session on each new incoming IKEv2 connection.
Benefits of IKEv2 Load Balancer
The IKEv2 Load Balancer Support feature is easy to configure and cost-effective.
A FlexVPN client need not know the IP addresses of all gateways in the cluster. The client need only know the virtual IP
address of the cluster.
The entire crypto session is redirected to a node in the cluster.
IKEv2 Redirect Mechanism
The IKEv2 redirect mechanism enables a VPN gateway to redirect a FlexVPN client request to another VPN gateway based on load
conditions and maintenance requirements.
The IKEv2 redirect mechanism is performed on security association (SA) initialization (IKE_SA_INIT) and on SA authentication
(IKE_AUTH).
Redirect During IKEv2 Initial Exchange (SA Initialization)
A FlexVPN client, or an AnyConnect client indicates support for Internet Key Exchange Version 2 (IKEv2) redirect mechanism
by including a REDIRECT_SUPPORTED notification message in the initial IKE_SA_INIT request. Use the
crypto ikev2 redirect client command to enable the redirect mechanism on a client. Use the
crypto ikev2 redirect gateway init command to enable redirect at IKE_SA_INIT on the gateway.
To redirect an IKEv2 request to another new gateway, the gateway that receives the IKE_SA_INIT request selects the IP address
or the fully qualified domain name (FQDN) of the new gateway (in this case, the LLG) with help of the crypto load balancer
(CLB) module. The gateway replies with an IKE_SA_INIT response that contains a REDIRECT notification message. The notification
includes information such as the new gateway and the nonce value from the payload in the IKE_SA_INIT request. When a client
receives the IKE_SA_INIT response, it verifies the nonce value sent in the IKE_SA_INIT request and the gateway information
provided in the redirect notification, and confirms whether the redirect notification is as per the configuration.
Note
If the nonce value does not match, the client discards the response and waits for another response, thereby preventing denial
of service (DoS) attacks on the initiator. DoS attacks could be caused by an attacker injecting incorrect redirect payloads
in IKE_SA_INIT responses.
In the IKE_SA_INIT exchange with the new gateway, the client message contains the REDIRECTED_FROM notification payload. The
REDIRECTED_FROM notification payload consists of the IP address of the original VPN gateway that redirected the client. The
IKEv2 exchange then proceeds as it would have proceeded with the original gateway.
Note
The client may be redirected again by the new gateway if the new gateway also cannot serve the client. The client does not
include the REDIRECT_SUPPORTED payload again in the IKE_SA_INIT exchange with the new gateway after the redirect. The presence
of the REDIRECTED_FROM notification payload in the IKE_SA_INIT exchange with the new gateway indicates to the new gateway
that the client supports the IKEv2 redirects mechanism.
Redirect During IKE_AUTH Exchange (SA Authentication)
A thorough security analysis shows that redirect during IKE_AUTH is neither more nor less secure than redirect during IKE_INIT.
However, for performance and scalability reasons, we recommend redirect during IKE_INIT. Use the
crypto ikev2 redirect gateway auth command to enable the redirect mechanism on the gateway. Use the
redirect gateway auth command to enable redirect on authentication for selected IKEv2 profiles.
In this method, the client authorization payload is verified before sending the redirect notification payload. A client also
verifies the gateway authorization payload before acting on the redirect notification. As the authorization payload is exchanged
and successfully verified, the IKEv2 security association (SA) is validated successfully and the INITIAL_CONTACT is processed
to decide on redirecting the request. If there is a redirect, the gateway creates the IKE SA and sends the IKE_AUTH response
with the redirect notification.
A child SA is not created in this method. The IKE_AUTH does not contain a payload pertaining to a child SA. When the client
receives the IKE_AUTH response, the client verifies the gateway authentication payload and deletes the IKEv2 SA with the gateway
by sending a delete notification. The client acts on the redirect notification payload to establish connection with the new
gateway. The client does not wait for an acknowledgment for the delete notification before establishing a connection with
the new gateway. If the IKE_AUTH exchange involves the Extensible Authentication Protocol (EAP) authentication, the gateway
has the choice of sending the redirect payload in the first or last IKE_AUTH response. The EAP authentication is included
in the first IKE_AUTH response because it is not necessary to provide credentials for each redirect.
Compatibility and Interoperability
The IKEv2 redirect mechanism is based on RFC 5685. The gateway (IKEv2 responder) is compatible with clients (IKEv2 initiator)
that implement the standard. Similarly, the client (initiator) implementation must be compatible with third party servers
(responder) implementing the standard. The load management mechanism is Cisco proprietary and is only supported on Cisco IOS
devices.
Handling Redirect Loops
A client request could be redirected multiple times in a sequence because of either an incorrect configuration or a denial
of service (DoS) attack. In some cases, a client could enter a loop with two or more gateways redirecting the client to the
other gateway thereby denying service to the client. To prevent this, a client can be configured, using the
crypto ikev2 redirect client command with the
max-redirectsnumber keyword argument pair, to not accept more than a specific number of redirects for a particular IKEv2 security association
(SA) setup.
IKEv2 Cluster
Reconnect
The IKEv2 cluster reconnect feature allows Cisco AnyConnect client to reconnect to any server in the cluster. The crypto ikev2 reconnect key is introduced on the server to encrypt the opaque data pushed to the client. During failure detection, the client does reconnect
with new or existing server without having to prompt for authentication credentials again.
There are only two
key index values, 1 and 2 and at any point in time, any one of the keys
configured using this will be active. The Cisco IOS server will be able to
decrypt the reconnect data as long as the reconnect key is configured using the
reconnect key CLI on the IOS server. This is true even if the key is only the
back-up key.
This feature does not support when the anyconnect-eap keyword as authentication method in the IKEv2 profile through the authentication command.
Note
This feature is available on Cisco IOS devices configured to work as Cisco AnyConnect server. The AnyConnect client software
version that supports this feature are 4.2 and future releases. This feature is applicable for new deployments only. Once
this feature is enabled on the Cisco IOS server, older releases of Cisco AnyConnect clients will not be supported.
How to Configure IKEv2 Load Balancer
Configuring the Server Cluster
Configuring an HSRP Group for Load Balancing
Perform this task to configure a single Hot Standby Router Protocol (HSRP) group for a cluster.
Hot Standby Router Protocol (HSRP) is used to elect the primary HSRP or Active Router (AR). For HSRP to elect a designated
device, you must configure the VIP for one device in the group. This address is learned by other devices in the group. The
IP address that is assigned to the primary is used as the VIP for the group. The HSRP active router (also called primary CLB)
receives the IKEv2 requests and redirects these requests to the LLG in the cluster. The redirection is performed at the IKEv2
protocol level thereby achieving the following:
All requests from the FlexVPN client reach the primary HSRP as the VIP is configured on the FlexVPN clients. The configuration
of FlexVPN clients is minimized because the FlexVPN clients must only know the VIP of the HSRP cluster.
The primary CLB is run on the same gateway as the primary HSRP, thereby maintaining the load information of all CLB subordinates.
The CLB primary enables effective redirection of requests and avoids multiple redirects and loops.
Note
This task describes the minimum commands required to configure an HSRP group for load balancing.
SUMMARY STEPS
enable
configure terminal
interfacetypenumber
ip addressip-addressmask [secondary]
standby [group-number]
prioritypriority
standbygroup-name
exit
Repeat Steps 3 to 7 to configure an HSRP group for another cluster.
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configure terminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
interfacetypenumber
Example:
Device(config)# interface GigabitEthernet 0/0/0
Configures an interface type and enters interface configuration mode.
Step 4
ip addressip-addressmask [secondary]
Example:
Device(config-if)# ip address 10.0.0.1 255.255.255.0
Specifies a primary or secondary IP address for an interface.
Step 5
standby [group-number]
prioritypriority
Example:
Device(config-if)# standby 1 priority 110
Configures the HSRP priority.
Step 6
standbygroup-name
Example:
Device(config-if)# standby group1
Specifies the name of the HSRP standby group.
Step 7
exit
Example:
Device(config-if)# exit
Exits to global configuration mode.
Step 8
Repeat Steps 3 to 7 to configure an HSRP group for another cluster.
Specifies settings for the primary in the HSRP cluster.
overload-limitpercent—The threshold load of the cluster. The
load limit to decide when a device is busy and to ignore it when redirecting it
for requests.
weight—Specifies the weight of a load attribute.
Range: 0 to 100. Default: 100.
crypto-loadweight-number—The IKE and IPsec security
association (SA) load.
system-loadweight-number—The system and memory load.
Step 6
portport-number
Example:
Device(config-ikev2-cluster)# port 2000
(Optional) Specifies the cluster primary listen port.
Defines the HSRP group containing the subordinates.
group-name—The group name is derived from the
group-name
argument specified in the
standby name
command.
Step 9
shutdown
Example:
Device(config-ikev2-cluster)# shutdown
(Optional)
Disables the IKEv2 cluster policy.
Step 10
exit
Example:
Device(config-ikev2-cluster)# exit
Exits IKEv2
cluster configuration mode and returns to global configuration mode.
Step 11
crypto ikev2 reconnect
keykey
indexactivename
Example:
Device(config)# crypto ikev2 reconnect key 1 active test123
Enables the
IKEv2 opaque data support for session reconnect.
Note
The ikev2 cluster reconnect feature is enabled for encryption only when the active keyword is present in the ikev2 reconnect key activenamekey-string. The active keyword is mandatory to enable the cluster reconnect feature. If you use the ikev2 reconnect keykey-namekey-string command without the active keyword in the command, the headend will only be able to decrypt.
Step 12
end
Example:
Device(config-ikev2-cluster)# end
Exits IKEv2
cluster configuration mode and returns to privileged EXEC mode.
Activating the IKEv2 Redirect Mechanism on the Server
Enables the IKEv2 redirect mechanism on the FlexVPN client.
max-redirectsnumber—(Optional) Specifies the maximum number of redirects that can be configured on the FlexVPN client for redirect loop detection.
Step 4
end
Example:
Device(config)# end
Exits global configuration mode and returns to privileged EXEC mode.
Configuration Examples for IKEv2 Load Balancer
Example: Configuring an HSRP Group for Load Balancing
The following example shows RouterA configured as the active router for an Hot Standby Router Protocol (HSRP) group with
a priority of 110. The default priority level is 100. This HSRP group is assigned the group name of group1. The group name
is referred in the cluster policy.
Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)
Technical Assistance
Description
Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use
these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products
and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for IKEv2
Load Balancer
Feature Name
Releases
Feature
Information
IKEv2 fast
convergence with cluster reconnect for Anyconnect
The IKEv2 fast
convergence with cluster reconnect for Anyconnect feature enables the Cisco
AnyConnect client to reconnect to any server in the cluster.
The following
command was introduced or modified:
crypto ikev2 reconnect
key
IKEv2 Load
Balancer Support
The IKEv2
Load Balancer Support feature distributes incoming IKEv2 requests from FlexVPN
clients among IKEv2 FlexVPN servers or gateways by redirecting requests to the
least loaded gateway.
The following commands were introduced or modified: crypto ikev2 cluster, crypto ikev2 redirect, holdtime, primary (IKEv2), port (IKEv2), redirect gateway, subordinate (IKEv2),
standby-group, show crypto ikev2 cluster, show crypto ikev2 sa.