Udostępnij za pośrednictwem


The Mobility Manager - managing mobility for VPN reconnect connections (IKEv2 based VPN connections)

Hi folks,

It's again that exciting time of the year when the next version of Windows is going to make it to the markets. Win7 boasts of several cool features that promise to transform the lives of people and make computers more effective and easier to use. So are you ready to grab a glimpse of these cool features that highlight Win7?

Present VPN tunnels do not provide mobility support. By mobility I mean that if the interface on which the VPN connection is established, gets disconnected, your VPN connection gets disconnected too. You have to re-dial the connection over the next available interface and undergo the time consuming authentication process and security checks. This leads to waste of your time, puts undue burden on the VPN servers and causes annoyance. Isn't it? Now imagine if there is some mechanism by which the switch is automatically performed to the next available Internet capable interface and the same VPN connection stays as it is. Excited? This is exactly what we are trying to achieve through this new component. Let me introduce you to the Mobility manager. It is a component which seamlessly switches over the VPN connection (VPN connection hereafter refers to a connection using new VPN tunnel called IKEv2) to next available interface, when the lower layer interface gets disconnected. In this post I will go through the general behavior, configuration, scenarios and limitations of this component. So let's get started!!!

Mobility manager primarily targets a roaming user and provides her continuous corporate connectivity when she moves across various networks. It also provides for seamless switching of a VPN connection from one interface to another when the interface, on which the VPN connection is established, goes down, hence providing continuous connectivity to a static user also. Some of the real life scenarios can be -

  1. A connected user remains connected when she moves across wireless access points (coffee shops/hotels).
  2. A user connected from home (through WWAN/GPRS) remains connected when she comes inside the corporate network (i.e. comes to office).
  3. A connected user remains connected if the underlying interface goes down and some other interface (with network connectivity) is available.
  4. A connected user remains connected if the underlying interface is flaky. In this case other VPN connections get disconnected, but the IKEv2 based VPN connection stays up.
  5. A connected user remains connected if she moves from an IPv4 enabled network to an IPv6 enabled network and vice versa, provided the server supports IPv6 addresses.

One major characteristic of the switchover is that during the switchover the IKEv2 connection is itself not redialled or re-authenticated, only the external endpoints change.So you need not redial the connection and re-enter your credentials. After the switch is performed, the VPN tunnel will start using the new interface. The applications using this connection see no change and continue to work the same way as before without breaking. That's what you call a seamless switch, isn't it?

How to make your VPN connection mobility enabled

Follow the following steps to make an IKEv2 based VPN connection mobility enabled

  1. Open VPN connectoid properties
  2. Go to the security tab
  3. Click on Advanced Settings.
  4. Check the mobility checkbox to enable mobility.

EnableMobility

Behavior of Mobility manager

IKEv2 based VPN connection exhibits three states-

  1. Connected
  2. Dormant - When the underlying interface through which IKEv2 is connected to the corporate network goes down/ or the access point changes.
  3. Waiting to reconnect - When the mobility manager is trying to switch the connection to the next available interface or access point.

These states can be explained with an example. Consider a scenario when you are home with a IKEv2 based VPN connection to corporate network over a broadband (PPPoE ) connection. Also assume you have a disabled wireless network that can also provide Internet connectivity.

  • Initially the VPN connection is connected.

       clip_image004

  • Now if the broadband connection gets disconnected ( and with wireless disabled) , the VPN connection goes into a dormant state as shown below

       clip_image006

  • Now if you enable the wireless network, the mobility manager tries to switchover the VPN connection over the wireless network. While the switchover is in progress, the VPN connection is in a 'waiting to reconnect' as shown below

       clip_image008

  • After a successful switchover the VPN connection is happily reconnected.

       clip_image009

Some points to note about mobility manager's behavior-

  1. The dormant VPN connection will start using a new Internet capable interface in a few milliseconds.
  2. In case no new Internet capable interface is available on the system, mobility manager performs a switch as soon as one is available.
  3. In case system has no network connectivity and there are dormant connections on the system, mobility manager tries to switch the dormant connections at regular intervals.

Troubleshooting mobility manager

Mobility manager runs as a task having local service privileges. It gets triggered when the first mobility enabled IKEv2 connection is connected and continues to run till there is one available. It can manage any number of IKEv2 connections on the system.

Mobility manager is a robust and reliable component and typically user would not face any issues, but in case some problem happens , you can do the following checks

  1. Check if mobility manager is running-
  • Run taskschd.msc
  • Open \Microsoft\Windows\Ras task and verify that mobility manager is running.

                  taskscheduler

     2.   Enable log collection:

           To enable logs, run the following command from the administrator command prompt.

           netsh ras diagnostics set tracefacilities enabled

Limitations

Some of the downsides of Mobility manager can be -

  1. No provision for cost based switching. User cannot specify the costs associated with the interfaces. One crude way to specify cost is manually setting the interface metric instead of automatic setting.
  2. It only supports make after break scenarios meaning that a switch is performed only if the current IKEv2 based VPN connection becomes dormant.

 

With Regards,

Arpan Kumar Asthana,

Software Development Engineer,

Windows Networking Group.

Comments

  • Anonymous
    January 01, 2003
    Hi Folks, Our team member Samir Jain has posted a nice blog on how you should decide which tunnel to

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Hi folks, Hope you all are in good health.I believe that you must be enjoying the new VPN reconnect feature

  • Anonymous
    January 11, 2009
    Agile VPN is very cool indeed. Been playing with it for a a couple of hours. IKEv2, MOBIKE and ESP in tunnel mode(if I'm not wrong), although the Win7 beta shows a "PPP adapter" after the connection was established(I don't see any PPP inside the ESP traffic). No IPComp for the moment. The VPN client sends the DHCP Inform packet to pull some DHCP options. What puzzles me is that when I use the EAP-MSCHAP v2 authentication method I need to add a machine certificate on the VPN server, otherwise I get the error message on the server: "IKE failed to find valid machine certificate.", which makes a little ambiguous(for me) why to use this authentication method if a certificate is still required on the server. Anyway the client does not verify server's certificate with this authentication method. From the Security logs on the server, I can see that "A certificate was used for authentication.", and the LocalMMPrincipalName points to the name found on the certificate I added on the server. If I would want a password based auth method on the client and a certificate on the server, I would use PEAP EAP-MSCHAP v2, which allows us to inspect the certificate of the server and protects the users' credentials with TLS quite nice. By the way, is or will be an "Oakley.log" for IKEv2 on Win 2008 R2 ? IKE Tracing seems to show only IKEv1 and AuthIP info. Thanks! Adrian

  • Anonymous
    January 12, 2009
    my bad, actually there is ikev2 info within the ikeext.etl file.