Académique Documents
Professionnel Documents
Culture Documents
In this article
About IPsec and IKE policy parameters for Azure VPN gateways
Part 1 - Workflow to create and set IPsec/IKE policy
Part 2 - Supported cryptographic algorithms & key strengths
Part 3 - Create a new S2S VPN connection with IPsec/IKE policy
Part 4 - Create a new VNet-to-VNet connection with IPsec/IKE policy
Part 5 - Update IPsec/IKE policy for a connection
Next steps
This article walks you through the steps to configure IPsec/IKE policy for Site-to-Site VPN or
VNet-to-VNet connections using the Resource Manager deployment model and PowerShell.
This article provides instructions to create and configure an IPsec/IKE policy and apply to a
new or existing connection:
Important
1. Note that IPsec/IKE policy only works on the following gateway SKUs:
2. You can only specify one policy combination for a given connection.
3. You must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick
Mode). Partial policy specification is not allowed.
4. Consult with your VPN device vendor specifications to ensure the policy is supported on
your on-premises VPN devices. S2S or VNet-to-VNet connections cannot establish if the
policies are incompatible.
The instructions in this article helps you set up and configure IPsec/IKE policies as shown in
the diagram:
IPsec/IKEv2 Options
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-v… 2/12
27/1/2018 Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure Resource Manager: PowerShell | Microsoft Docs
IPsec/IKEv2 Options
IPsec GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None
Encryption
Important
2. If GCMAES is used as for IPsec Encryption algorithm, you must select the same
GCMAES algorithm and key length for IPsec Integrity; for example, using
GCMAES128 for both
3. In the table above:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-v… 3/12
27/1/2018 Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure Resource Manager: PowerShell | Microsoft Docs
4. IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways
5. Setting "UsePolicyBasedTrafficSelectors" to $True on a connection will configure the Azure
VPN gateway to connect to policy-based VPN firewall on premises. If you enable
PolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic
selectors defined with all combinations of your on-premises network (local network
gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. For
example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your
virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the
following traffic selectors:
For more information regarding policy-based traffic selectors, see Connect multiple on-
premises policy-based VPN devices.
The following table lists the corresponding Diffie-Hellman Groups supported by the custom
policy:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-v… 4/12
27/1/2018 Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure Resource Manager: PowerShell | Microsoft Docs
See Create a S2S VPN connection for more detailed step-by-step instructions for creating a
S2S VPN connection.
Verify that you have an Azure subscription. If you don't already have an Azure
subscription, you can activate your MSDN subscriber benefits or sign up for a free
account.
Install the Azure Resource Manager PowerShell cmdlets. See Overview of Azure
PowerShell for more information about installing the PowerShell cmdlets.
Step 1 - Create the virtual network, VPN gateway, and local network gateway
For this exercise, we start by declaring our variables. Be sure to replace the values with your
own when configuring for production.
PowerShell Copy
$Sub1 = "<YourSubscriptionName>"
$RG1 = "TestPolicyRG1"
$Location1 = "East US 2"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-v… 5/12
27/1/2018 Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure Resource Manager: PowerShell | Microsoft Docs
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GW1IPName1 = "VNet1GWIP1"
$GW1IPconf1 = "gw1ipconf1"
$Connection16 = "VNet1toSite6"
$LNGName6 = "Site6"
$LNGPrefix61 = "10.61.0.0/16"
$LNGPrefix62 = "10.62.0.0/16"
$LNGIP6 = "131.107.72.22"
Make sure you switch to PowerShell mode to use the Resource Manager cmdlets. For more
information, see Using Windows PowerShell with Resource Manager.
Open your PowerShell console and connect to your account. Use the following sample to
help you connect:
PowerShell Copy
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
3. Create the virtual network, VPN gateway, and local network gateway
The following sample creates the virtual network, TestVNet1, with three subnets, and the VPN
gateway. When substituting values, it's important that you always name your gateway subnet
specifically GatewaySubnet. If you name it something else, your gateway creation fails.
PowerShell Copy
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-v… 6/12
27/1/2018 Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure Resource Manager: PowerShell | Microsoft Docs
The following sample script creates an IPsec/IKE policy with the following algorithms and
parameters:
PowerShell Copy
If you use GCMAES for IPsec, you must use the same GCMAES algorithm and key length for
both IPsec encryption and integrity. For example above, the corresponding parameters will
be "-IpsecEncryption GCMAES256 -IpsecIntegrity GCMAES256" when using GCMAES256.
Create an S2S VPN connection and apply the IPsec/IKE policy created earlier.
PowerShell Copy
Important
Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway will only
send or accept the IPsec/IKE proposal with specified cryptographic algorithms and key
strengths on that particular connection. Make sure your on-premises VPN device for the
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-v… 7/12
27/1/2018 Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure Resource Manager: PowerShell | Microsoft Docs
connection uses or accepts the exact policy combination, otherwise the S2S VPN tunnel
will not establish.
See Create a VNet-to-VNet connection for more detailed steps for creating a VNet-to-VNet
connection. You must complete Part 3 to create and configure TestVNet1 and the VPN
Gateway.
Be sure to replace the values with the ones that you want to use for your configuration.
PowerShell Copy
$RG2 = "TestPolicyRG2"
$Location2 = "East US 2"
$VNetName2 = "TestVNet2"
$FESubName2 = "FrontEnd"
$BESubName2 = "Backend"
$GWSubName2 = "GatewaySubnet"
$VNetPrefix21 = "10.21.0.0/16"
$VNetPrefix22 = "10.22.0.0/16"
$FESubPrefix2 = "10.21.0.0/24"
$BESubPrefix2 = "10.22.0.0/24"
$GWSubPrefix2 = "10.22.255.0/27"
$DNS2 = "8.8.8.8"
$GWName2 = "VNet2GW"
$GW2IPName1 = "VNet2GWIP1"
$GW2IPconf1 = "gw2ipconf1"
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-v… 8/12
27/1/2018 Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure Resource Manager: PowerShell | Microsoft Docs
$Connection21 = "VNet2toVNet1"
$Connection12 = "VNet1toVNet2"
2. Create the second virtual network and VPN gateway in the new resource group
PowerShell Copy
Similar to the S2S VPN connection, create an IPsec/IKE policy then apply to policy to the new
connection.
The following sample script creates a different IPsec/IKE policy with the following algorithms
and parameters:
PowerShell Copy
Create a VNet-to-VNet connection and apply the IPsec/IKE policy you created. In this
example, both gateways are in the same subscription. So it is possible to create and configure
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-v… 9/12
27/1/2018 Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure Resource Manager: PowerShell | Microsoft Docs
both connections with the same IPsec/IKE policy in the same PowerShell session.
PowerShell Copy
Important
Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway will only
send or accept the IPsec/IKE proposal with specified cryptographic algorithms and key
strengths on that particular connection. Make sure the IPsec policies for both
connections are the same, otherwise the VNet-to-VNet connection will not establish.
After completing these steps, the connection is established in a few minutes, and you will
have the following network topology as shown in the beginning:
Important
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-… 10/12
27/1/2018 Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure Resource Manager: PowerShell | Microsoft Docs
The following example shows how to get the IPsec/IKE policy configured on a connection.
The scripts also continue from the exercises above.
PowerShell Copy
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -Resourc
$connection6.IpsecPolicies
The last command lists the current IPsec/IKE policy configured on the connection, if there is +
PowerShell Copy
SALifeTimeSeconds : 14400
SADataSizeKilobytes : 102400000
IpsecEncryption : AES256
IpsecIntegrity : SHA256
IkeEncryption : AES256
IkeIntegrity : SHA384
DhGroup : DHGroup24
PfsGroup : PFS24
The steps to add a new policy or update an existing policy on a connection are the same:
create a new policy then apply the new policy to the connection.
PowerShell Copy
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-… 11/12
27/1/2018 Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure Resource Manager: PowerShell | Microsoft Docs
PowerShell Copy
You can get the connection again to check if the policy is updated.
PowerShell Copy
You should see the output from the last line, as shown in the following example:
PowerShell Copy
SALifeTimeSeconds : 14400
SADataSizeKilobytes : 102400000
IpsecEncryption : AES256
IpsecIntegrity : SHA256
IkeEncryption : AES128
IkeIntegrity : SHA1
DhGroup : DHGroup14
PfsGroup : None
Once you remove the custom policy from a connection, the Azure VPN gateway reverts back
to the default list of IPsec/IKE proposals and renegotiates again with your on-premises VPN
device.
PowerShell Copy
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#a-name-crosspremapart-3---create-a-new-s2s-… 12/12