IKEv2 communication takes place over UDP ports 500 and 4500. The initial connection is always made on UDP port 500. If a Network Address Translation (NAT) device is detected in the path, communication switches to using UDP port 4500. Since UDP is connectionless, special configuration is required to ensure that client connections are routed to the same Real Server.

Note: Windows limits the number of IPSec Security Associations (SAs) coming from a single IP address. Because of this limit, transparency must be set on the Virtual Service allowing the original client IP address to be seen on the VPN server. This requires that the default gateway on the VPN servers points to the LoadMaster for proper routing. If this configuration is not possible, the following workaround may resolve the issue: IPsec traffic blocked behind HLB on Windows 7/Server 2008 R2
Note: For further information on transparency, refer to the Transparency Feature Description.

This guide contains a section on creating a Virtual Service in the WUI using a template. To configure the Virtual Services using the Application Programming Interface (API), refer to the RESTful API documentation.

Note: The recommended settings for the IKEv2 LoadMaster Virtual Services use the Refresh Persist option to ensure proper persistence for Microsoft Always On VPN clients. This functionality requires LoadMaster version 7.2.53 or higher.

The table in each section outlines the API settings and values. You can use this information when using the LoadMaster API and automation tools.