It's again that exciting time of the year when the next version of Windows is going to make it to the markets. Win7 boasts of several cool features that promise to transform the lives of people and make computers more effective and easier to use. So are you ready to grab a glimpse of these cool features that highlight Win7?
Present VPN tunnels do not provide mobility support. By mobility I mean that if the interface on which the VPN connection is established, gets disconnected, your VPN connection gets disconnected too. You have to re-dial the connection over the next available interface and undergo the time consuming authentication process and security checks. This leads to waste of your time, puts undue burden on the VPN servers and causes annoyance. Isn't it? Now imagine if there is some mechanism by which the switch is automatically performed to the next available Internet capable interface and the same VPN connection stays as it is. Excited? This is exactly what we are trying to achieve through this new component. Let me introduce you to the Mobility manager. It is a component which seamlessly switches over the VPN connection (VPN connection hereafter refers to a connection using new VPN tunnel called IKEv2) to next available interface, when the lower layer interface gets disconnected. In this post I will go through the general behavior, configuration, scenarios and limitations of this component. So let's get started!!!
Mobility manager primarily targets a roaming user and provides her continuous corporate connectivity when she moves across various networks. It also provides for seamless switching of a VPN connection from one interface to another when the interface, on which the VPN connection is established, goes down, hence providing continuous connectivity to a static user also. Some of the real life scenarios can be -
One major characteristic of the switchover is that during the switchover the IKEv2 connection is itself not redialled or re-authenticated, only the external endpoints change.So you need not redial the connection and re-enter your credentials. After the switch is performed, the VPN tunnel will start using the new interface. The applications using this connection see no change and continue to work the same way as before without breaking. That's what you call a seamless switch, isn't it?
How to make your VPN connection mobility enabled
Follow the following steps to make an IKEv2 based VPN connection mobility enabled
Behavior of Mobility manager
IKEv2 based VPN connection exhibits three states-
These states can be explained with an example. Consider a scenario when you are home with a IKEv2 based VPN connection to corporate network over a broadband (PPPoE ) connection. Also assume you have a disabled wireless network that can also provide Internet connectivity.
Some points to note about mobility manager's behavior-
Troubleshooting mobility manager
Mobility manager runs as a task having local service privileges. It gets triggered when the first mobility enabled IKEv2 connection is connected and continues to run till there is one available. It can manage any number of IKEv2 connections on the system.
Mobility manager is a robust and reliable component and typically user would not face any issues, but in case some problem happens , you can do the following checks
2. Enable log collection:
To enable logs, run the following command from the administrator command prompt.
netsh ras diagnostics set tracefacilities enabled
Some of the downsides of Mobility manager can be -
Arpan Kumar Asthana,
Software Development Engineer,
Windows Networking Group.
<p>Agile VPN is very cool indeed.</p>
<p>Been playing with it for a a couple of hours.</p>
<p>IKEv2, MOBIKE and ESP in tunnel mode(if I'm not wrong), although the Win7 beta shows a "PPP adapter" after the connection was established(I don't see any PPP inside the ESP traffic).</p>
<p>No IPComp for the moment.</p>
<p>The VPN client sends the DHCP Inform packet to pull some DHCP options.</p>
<p>What puzzles me is that when I use the EAP-MSCHAP v2 authentication method I need to add a machine certificate on the VPN server, otherwise I get the error message on the server: "IKE failed to find valid machine certificate.", which makes a little ambiguous(for me) why to use this authentication method if a certificate is still required on the server.</p>
<p>Anyway the client does not verify server's certificate with this authentication method.</p>
<p>From the Security logs on the server, I can see that "A certificate was used for authentication.", and the LocalMMPrincipalName points to the name found on the certificate I added on the server.</p>
<p>If I would want a password based auth method on the client and a certificate on the server, I would use PEAP EAP-MSCHAP v2, which allows us to inspect the certificate of the server and protects the users' credentials with TLS quite nice.</p>
<p>By the way, is or will be an "Oakley.log" for IKEv2 on Win 2008 R2 ?</p>
<p>IKE Tracing seems to show only IKEv1 and AuthIP info.</p>
<p>my bad, actually there is ikev2 info within the ikeext.etl file.</p>
<p>VPN Reconnect: A New Tunnel for Mobility Has your file download or a Line of Business application (LOB)</p>
<p>Hi folks, Hope you all are in good health.I believe that you must be enjoying the new VPN reconnect feature</p>
<p>Hi Folks, Our team member Samir Jain has posted a nice blog on how you should decide which tunnel to</p>