VPN Reconnect: A New Tunnel for Mobility
VPN Reconnect: A New Tunnel for Mobility
Has your file download or a Line of Business application (LOB) ever got interrupted just because your internet connection went down momentarily and you had to start it all over again ?
You will never have to do that with the IKEv2 tunnel of “VPN Reconnect” feature available in windows 7.
Read on to find out what other exciting scenarios can be made possible with VPN reconnect feature.
Look at the following scenarios:
Melissa is a Mobile Information Worker (MIW) who is mostly on the move and uses Wireless Wide Area Network (WWAN) (costly and lower speeds) while she is mobile and Wireless Local Area Network (WLAN)/LAN when at customer locations and when at home or office. As a part of her day to day activities she has to download lots of huge documents from her office server and some LOB applications need uninterrupted connection. As a result she always uses her rather slow and costly WWAN connection even though she has access to high speed WLAN access at different customer locations. She wonders how productive and economical it would have been if she were able to switch to WLAN without her existing applications and downloads getting interrupted.
Sondra is a release manager of a software company whose offices are distributed across different cities and she has to regularly talk to different project teams across different cities as a part of her day to day job. To reduce long distance telephone costs her company has decided to use Voice call over Office communicator instead of long distance calls over cellphones. While she appreciates the clarity of voice she gets using office communicator, she rues the fact that calls get disconnected as he moves between meeting in different buildings and the WiFi access points change. She wonders if should could have the same roaming feature with office communicator as she has with traditional cell phones.
Ichiro is a network admin of an Internet service provider contoso.com Contoso.com does not own any physical infrastructure but leases internet connectivity from different regional service providers and give a single country wide solution to all its customers. The reason contoso’s service offers more value for the money is because they will be able harness the cheapest internet service available in that region. If a particular city has low cost WLAN encompassing all areas, contoso’s customers can connect to this WiFi service instead of the costly WWAN service. One complaint contoso has from its customers is that whenever the local service provider changes, the IP address of the customers changes and all their applications get disconnected. Contoso cannot use Mobile IP as it does not own the network infrastructure. Contoso is looking for a simple solution for this problem
IKEv2 tunnel of VPN Reconnect solves above scenarios and the problems whenever the underlying network changes.
How it works:
VPN Reconnect is built on IPsec Tunnel Mode (RFC 4301) that uses IKEv2 (RFC 4306) for key negotiation and transmits ESP (RFC 4303) packets. MOBIKE (RFC 4555) is used to switch the tunnel end points when the underlying interface changes.
The following diagram illustrates a scenario of VPN Reconnect.
The mobile user initially connects to an IKEv2 compatible server to access corpnet over Wired LAN.
The user then starts using a client application that communicates with the application servers in the corporate network. Now if the user disconnects his wired LAN connection and connects to WiFi hotspot his VPN connection persists and his client application continues its communication with the application server un-interrupted. Let us see how to achieve this and how it works
Configuring IKEv2 Client:
1. Specifying the VPN server address /name:
In the general tab of RAS connectoid properties, specify the VPN server destination. You can specify the IPv4 address, IPv6 address or the Fully Qualified Domain Name (FQDN) of the VPN server .
2. Specifying the tunnel options:
On the security tab select IKEv2 from the dropdown menu of Type of VPN
VPN Reconnect supports different encryption options ranging from no encryption to AES256.
VPN Reconnect supports two types of Authentication:
a. Extensible Authentication Protocol (EAP)(RFC 3748)
b. X.509 Machine Certificates (RFC 2459)
3. Enabling Mobility:
In the advanced properties tab there is a Mobility check box. By default this check box is enabled for VPN Reconnect. If the check box is unchecked the client cannot switch its local tunnel endpoint.
4. Selecting IPv4 and IPv6
VPN Reconnect supports both IPv4 and IPv6 internal addresses.
Once the configuration is done all you need to do is click connect.
On the details tab of the status page of the connection. The local and remote addresses are shown.
In the above page the vpn connection is over the interface “ Local Area Connection” with IP address 172.23.90.42. The Destination address of the VPN server is 172.23.90.71.
The Client IPv4 address 172.23.90.89 is the address to which all the application sockets bind to. VPN Reconnect makes sure that even if the Origin address changes the Client Internal IPv4 address remains same and hence the connection is persisted.
When the LAN interface goes down, mobility manger switches to the next available interface, in the diagram below the new interface is “Wireless Network Connection” with IP address 10.86.52.186.
You can observer that in both the cases the Client Ipv4 address did not change and remained same 172.23.90.89 as a result the applications that bind to 172.23.90.89 will not see any change in the interface going down and hence all the applications are persisted.
In addition to the above illustrations VPN Reconnect persists the connection the following scenarios as well:
Switch from IPv4 to IPv6 address
If the server and client have both IPv4 and IPv6 connectivity, the client can first connect over IPv6 Internet address and switch to an IPv4 Internet address and vice-versa.
Switch from Internet to Corpnet
If the client first connects to corpnet from Internet and then connects to corpnet, VPN Reconnect switches the VPN connection from the Internet facing address of the server to the Internal corpnet address of the server. So if a user starts a voice conversation using Office Communicator over VPN when connected to the internet, he can continue the conversation without any interruption as he walks into his office and connects to Corporate network. This possible even if the corporate network firewall does not allow IKE/ESP packets going out of its Internet gateway because mobility manger tries all combinations of VPN server internal and external addresses when the underlying network goes down.
Switching when the IP Address of an Interface changes
If the IP address of an interface changes, VPN Reconnect ensures that the connection is persisted. So if user connects to his corporate network over WiFi network, his VPN connection stays up even if his WiFi access points change and the IP address of this WiFi interface changes.
Persistent Connection amidst frequent disconnections
If you have a lossy WWAN connection with frequent disconnections and you are want to watch streaming media, every time the connection gets disconnected you will have to re-start the streaming and the buffered data is lost. With IKEv2 tunnel if the WWAN connection gets disconnected and reconnected (even with a new IP address) the connection persists and streaming downloads get resumed for the point of disconnect.
Uma Mahesh Mudigonda
Developer, Routing & Remote Access