The IKEv2 protocol is a popular choice when designing an Always On VPN solution. When configured correctly it provides the best security compared to other protocols. The protocol is not without some unique challenges, however. IKEv2 is often blocked by firewalls, which can prevent connectivity. Another lesser know issue with IKEv2 is that of fragmentation. This can result in failed connectivity that can be difficult to troubleshoot.
IP Fragmentation
IKEv2 uses UDP for transport, and typically most packets are relatively small. The exception to this is when authentication takes place, especially when using client certificate authentication. The problem is further complicated by long certificate chains and by RSA keys, especially those that are greater than 2048 bit. If the payload exceeds 1500 bytes, the IP packet will have to be broken in to smaller fragments to be sent over the network. If an intermediary device in the path is configured to use a smaller Maximum Transmission Unit (MTU), that device may fragment the IP packets.
IP Fragmentation and Firewalls
Many routers and firewalls are configured to drop IP fragments by default. When this happens, IKEv2 communication may begin initially, but subsequently fail. This typically results in an error code 809 with a message stating the following.
“Can’t connect to [connection name]. The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g. firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.”
Troubleshooting
When troubleshooting potential IKEv2 fragmentation-related connection failures, a network trace should be taken of the connection attempt on the client. Observe the packet sizes during the conversation, especiallyIKE_AUTH packets. Packet sizes exceeding the path MTU will have to be fragmented, as shown here.
Measuring Path MTU
Measuring the path MTU between the client and server can be helpful when troubleshooting fragmentation related issues. The mtupath.exe utility is an excellent and easy to use tool for this task. The tool can be downloaded here.
IKEv2 Fragmentation
To address the challenges with IP fragmentation and potential connectivity issues associated with network devices dropping fragmented packets, the IKEv2 protocol itself can be configured to perform fragmentation at the IKE layer. This eliminates the need for IP layer fragmentation, resulting in better reliability for IKEv2 VPN connections.
Both the server and the client must support IKEv2 fragmentation for this to occur. Many firewall and VPN vendors include support for IKEv2 fragmentation. Consult the vendor’s documentation for configuration guidance. For Windows Server Routing and Remote Access (RRAS) servers, the feature was first introduced in Windows Server 1803 and is supported in Windows Server 2019. Windows 10 clients support IKEv2 fragmentation beginning with Windows 10 1803.
Enabling IKEv2 Fragmentation
Windows 10 clients support IKEv2 fragmentation by default. However, it must be enabled on the server via the registry. The following PowerShell command will enable IKEv2 fragmentation support on Windows Server 1803 and later.
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\” -Name EnableServerFragmentation -PropertyType DWORD -Value 1 -Force
A PowerShell script to implement IKEv2 fragmentation can be found on my GitHub here.
Validation Testing
Once IKEv2 fragmentation is configured on the VPN server, a network capture will reveal the IKE_SA_INIT packet now includes the IKEV2_FRAGMENTATION_SUPPORTED notification message.
Additional Information
Windows 10 Always On VPN IKEv2 Security Configuration
RFC 7383 – IKEv2 Message Fragmentation
IEA Software MTU Path Scan Utility
Windows 10 Always On VPN Hands-On Training Classes
FAQs
2, IKEv2 fragmentation is a new solution that improves security by avoiding IP-level fragmentation.
What ports does always on VPN IKEv2 use? ›
IKEv2 communication takes place over UDP ports 500 and 4500. The initial connection is always made on UDP port 500. If a Network Address Translation (NAT) device is detected in the path, communication switches to using UDP port 4500.
What does "always on VPN" mean? ›
Always On VPN provides connectivity to corporate resources by using tunnel policies that require authentication and encryption until they reach the VPN gateway. By default, the tunnel sessions terminate at the VPN gateway, which also functions as the IKEv2 gateway, providing end-to-edge security.
What does IKEv2 mean in VPN? ›
IKEv2 stands for Internet Key Exchange Version 2.
It is considered more lightweight and stable than OpenVPN while retaining some customizability. But it is only available over UDP, which is blocked by some firewalls. IKEv2 is one of the newest protocols and has significant strengths, particularly its speed.
Can IKEv2 be blocked? ›
One downside of IKEv2, though, is that it is only used on Port 500 which makes it easier to block by network administrators as they can simply block Port 500 on the network and IKEv2 won't connect anymore.
How do I enable IKE fragmentation? ›
To enable IKE (IKE_AUTH) message fragmentation, set the IKE_FRAGMENTATION parameter in the /etc/isakmpd. conf file. If you set to the IKE_FRAGMENTATION parameter to YES on the local and remote nodes, the IKE messages are fragmented.
What ports are required for always on VPN? ›
Open your firewall rules to allow UDP ports 500 and 4500 inbound to the external IP address applied to the public interface on the VPN server.
What type of VPN is always on VPN? ›
Always On VPN is Microsoft's technology for Windows 10 clients that replaces Direct Access and provides secure remote access for clients. Replacing Microsoft's older Direct Access technology, the VPN connection is “always on” and securely connected to the internet after the connection is established.
What protocol does always on VPN use? ›
It uses Windows 10's built-in VPN client and the Internet Key Exchange version 2 protocol. IKEv2 is a reliable and secure protocol that provides robust authentication and encryption standards, making it a viable choice for Always On VPN.
Should I use always on VPN? ›
Microsoft positions Always On VPN as a better alternative to DirectAccess and recommends the use of Always On VPN whenever possible. However, Always On VPN requires clients to run Windows 10 or higher, which might not be an option in environments that need to support older Windows OSes or non-Windows clients.
Yes, you should leave your VPN on all the time. VPNs offer the best online security, so keeping it on will protect you against data leaks and cyberattacks, especially while you're using public Wi-Fi. It can also safeguard against intrusive snoopers such as ISPs or advertisers.
What are the disadvantages of always on VPN? ›
AO VPN works only with Windows 10. It is not supported for Windows 7 or other operating systems. While AO VPN does add extensive filtering options, no additional blocking technologies exist to prevent viruses or malware, such as crypto locker, from encrypting files.
What is IKEv2 mostly used by? ›
Internet Key Exchange version 2 (IKEv2) is among the fastest vpn protocols It is usually paired with IPSec and is commonly known as IKEv2/IPSec. The VPN protocol is widely implemented in mobile devices. This can be attributed to its fast speeds, stability, and high reliability when switching between networks.
Is IKEv2 vulnerable? ›
While IKEv2 is generally considered secure, users should be aware of a few probable security issues as: Implementation vulnerabilities: Like any cryptographic protocol, the security of IKEv2 depends on the correct protocol implementation in software or hardware.
What is the vulnerability of IKEv2? ›
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent IKEv2 from establishing new security associations. The vulnerability is due to incorrect handling of crafted IKEv2 SA-Init packets.
What is fragmentation in Internet Protocol? ›
IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host.
What is fragmentation in network security? ›
IP fragmentation attacks is a type of cyber attack that exploits how IP packets are fragmented and reassembled to evade security controls and launch attacks. Attackers manipulate fragmented packet parameters like offsets and sizes to trigger vulnerabilities or bypass firewall rules.
What is the MTU of IKEv2 fragmentation configured? ›
Configures IKEv2 fragmentation. The MTU range is from 96 to 1500 bytes. The default MTU size is 576 for IPv4 packets and 1280 bytes for IPv6 packets.
What is fragmentation DDoS? ›
An Internet Protocol (IP)/Internet Control Message Protocol (ICMP) fragmentation DDoS attack is a common form of volumetric denial of service (DoS) attack. In such an attack, datagram fragmentation mechanisms are used to overwhelm the network.
The IKEv2 protocol is a popular choice when designing an Always On VPN solution. When configured correctly it provides the best security compared to other protocols. The protocol is not without some unique challenges, however. IKEv2 is often blocked by firewalls, which can prevent connectivity. Another lesser know issue with IKEv2 is that of fragmentation. This can result in failed connectivity that can be difficult to troubleshoot.
