Configure custom IPsec/IKE connection policies for S2S VPN and VNet-to-VNet: Azure portal

• Article
• 04/04/2024

This article walks you through the steps configure IPsec/IKE policy for VPN Gateway Site-to-Site VPN or VNet-to-VNet connections using the Azure portal. The following sections help you create and configure an IPsec/IKE policy, and apply the policy a new or existing connection.

Workflow

The instructions in this article help you set up and configure IPsec/IKE policies as shown in the following diagram.

1. Create a virtual network and a VPN gateway.
2. Create a local network gateway for cross premises connection, or another virtual network and gateway for VNet-to-VNet connection.
3. Create a connection (IPsec or VNet2VNet).
4. Configure/update/remove the IPsec/IKE policy on the connection resources.

Policy parameters

IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations. Refer About cryptographic requirements and Azure VPN gateways see how this can help ensure cross-premises and VNet-to-VNet connectivity satisfy your compliance or security requirements. Be aware of the following considerations:

• IPsec/IKE policy only works on the following gateway SKUs:
  • VpnGw1~5 VpnGw1AZ~5AZ
  • Standard and HighPerformance
• You is specify specifyone policy combination given connection .
• You is specify specify algorithms parameters IKE ( Main Mode ) IPsec ( Quick Mode ) . Partial policy specification allowed .
• Consult with your VPN device vendor specifications ensure the policy is supported on your on-premises VPN devices. S2S or VNet-to-VNet connections can’t establish if the policies are incompatible.

Cryptographic algorithms & key strengths

The following table lists the supported configurable cryptographic algorithms and key strengths.

• – premises VPN device configuration is match match contain following algorithms parameters specify Azure IPsec IKE policy :

  • IKE encryption algorithm (Main Mode, Phase 1)
  • IKE integrity algorithm (Main Mode, Phase 1)
  • DH group (Main Mode, Phase 1)
  • IPsec encryption algorithm (Quick Mode, Phase 2)
  • IPsec integrity algorithm (Quick Mode, Phase 2)
  • PFS group (Quick Mode, Phase 2)
  • Traffic selector ( useUsePolicyBasedTrafficSelectors)
  • SA lifetimes (local specifications that don’t need match)

• If you use GCMAES for the IPsec encryption algorithm, you must select the same GCMAES algorithm and key length for IPsec integrity. For example, use GCMAES128 for both.

• table algorithms keys :

  • IKE corresponds Main Mode or Phase 1.
  • IPsec is corresponds corresponds Quick Mode Phase 2 .
  • DH group is specifies specifies Diffie – Hellman group Main Mode Phase 1 .
  • PFS group is specifies specifies Diffie – Hellman group Quick Mode Phase 2 .

• IKE Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways.

• UsePolicyBasedTrafficSelectors is an optional parameter on the connection. If you set UsePolicyBasedTrafficSelectors $True on a connection, it configures the VPN gateway connect an on-premises policy-based VPN firewall.

  If you enable UsePolicyBasedTrafficSelectors, ensure that your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes or from the Azure virtual network prefixes, instead of any-to-any. The VPN gateway accepts whatever traffic selector the remote VPN gateway proposes, irrespective of what’s configured on the VPN gateway.

  For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need specify the following traffic selectors:

  • 10.1.0.0/16 <====> 192.168.0.0/16
  • 10.1.0.0/16 <====> 172.16.0.0/16
  • 10.2.0.0/16 <====> 192.168.0.0/16
  • 10.2.0.0/16 <====> 172.16.0.0/16

  For more information about policy-based traffic selectors, see Connect a VPN gateway multiple on-premises policy-based VPN devices.

• Setting the timeout shorter periods causes IKE rekey more aggressively. The connection can then appear be disconnected in some instances. This situation might not be desirable if your on-premises locations are farther away from the Azure region where the VPN gateway resides, or if the physical link condition could incur packet loss. We generally recommend that you set the timeout 30 45 seconds.

Note

IKEv2 Integrity is used for both Integrity and PRF(pseudo-random function). 
If IKEv2 Encryption algorithm specified is GCM*, the value passed in IKEv2 Integrity is used for PRF only and implicitly we set IKEv2 Integrity GCM*. In all other cases, the value passed in IKEv2 Integrity is used for both IKEv2 Integrity and PRF.

Diffie-Hellman groups

The following table lists the corresponding Diffie-Hellman groups supported by the custom policy:

For more information, see RFC3526 and RFC5114.

Create S2S VPN connection with custom policy

This section walks you through the steps create a Site-to-Site VPN connection with an IPsec/IKE policy. The following steps create the connection as shown in the following diagram. The on-premises site in this diagram represents Site6.

Step 1: Create the virtual network, VPN gateway, and local network gateway for TestVNet1

Create the following resources. For steps, see Create a Site-to-Site VPN connection.

1. Create the virtual network TestVNet1 using the following values.

   • Resource group: TestRG1
   • : TestVNet1
   • Region : (US) East
   • IPv4 address space : 10.1.0.0/16
   • Subnet 1 : FrontEnd
   • Subnet 1 address range: 10.1.0.0/24
   • Subnet 2 name: BackEnd
   • Subnet 2 address range: 10.1.1.0/24

2. Create virtual network gatewayVNet1GW using the following values.

   • : VNet1GW
   • Region : East
   • Gateway type: VPN
   • VPN type: Route-based
   • SKU : VpnGw2
   • Generation: Generation 2
   • Virtual network : VNet1
   • Gateway subnet address range : 10.1.255.0/27
   • Public IP address type : Basic or Standard
   • Public IP address: Create new
   • Public IP address : VNet1GWpip
   • Enable active – active mode : Disabled
   • Configure BGP: Disabled

Step 2: Configure the local network gateway and connection resources

1. Create the local network gateway resource Site6 using the following values.

   • : Site6
   • Resource Group : TestRG1
   • Location : East
   • Local gateway IP address: 5.4.3.2 (example value only – use the IP address of your on-premises device)
   • Address Spaces 10.61.0.0/16, 10.62.0.0/16 (example value only)

2. From the virtual network gateway, add a connection the local network gateway using the following values.

   • Connection name: VNet1toSite6
   • Connection type: IPsec
   • Local network gateway: Site6
   • Shared key : abc123 is match ( example value – match – premises device key )
   • IKE protocol: IKEv2

Step 3: Configure a custom IPsec/IKE policy on the S2S VPN connection

Configure a custom IPsec/IKE policy with the following algorithms and parameters:

• IKE Phase 1: AES256, SHA384, DHGroup24
• IKE Phase 2(IPsec): AES256, SHA256, PFS None
• IPsec SA Lifetime in KB: 102400000
• IPsec SA lifetime seconds : 30000
• DPD timeout: 45 seconds

1. Go the Connection resource created ,VNet1toSite6. Open the Configuration page. Select Custom IPsec/IKE policy show all configuration options. The following screenshot shows the configuration according the list:

   

   If you use GCMAES for IPsec, you must use the same GCMAES algorithm and key length for both IPsec encryption and integrity. For example, the following screenshot specifies GCMAES128 for both IPsec encryption and IPsec integrity:

2. If you want enable Azure VPN gateway connect policy-based on-premises VPN devices, you can select Enable for the Use policy based traffic selectors option.

3. Once all the options are selected, selectSave commit the changes the connection resource. The policy will be enforced in about a minute.

   Important

   • Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway will only send or accept the IPsec/IKE proposal with specified cryptographic algorithms and key strengths on that particular connection. Make sure your on-premises VPN device for the connection uses or accepts the exact policy combination, otherwise the S2S VPN tunnel will not establish.

   • Policy-based traffic selector and DPD timeout options can be specified with Default policy, without the custom IPsec/IKE policy.

Create VNet-to-VNet connection with custom policy

The steps create a VNet-to-VNet connection with an IPsec/IKE policy are similar that of an S2S VPN connection. You must complete the previous sections in Create an S2S vpn connection create and configure TestVNet1 and the VPN gateway.

Step 1: Create the virtual network, VPN gateway, and local network gateway for TestVNet2

Use the steps in the Create a VNet-to-VNet connection article create TestVNet2, and create a VNet-to-VNet connection TestVNet1.

Example values:

Virtual network TestVNet2

• Resource group: TestRG2
• : TestVNet2
• Region : (US) West US
• IPv4 address space : 10.2.0.0/16
• Subnet 1 : FrontEnd
• Subnet 1 address range: 10.2.0.0/24
• Subnet 2 name: BackEnd
• Subnet 2 address range: 10.2.1.0/24

VPN gateway: VNet2GW

• : VNet2GW
• Region : West US
• Gateway type: VPN
• VPN type: Route-based
• SKU : VpnGw2
• Generation: Generation 2
• Virtual network : TestVNet2
• Gateway subnet address range : 10.2.255.0/27
• Public IP address type : Basic or Standard
• Public IP address: Create new
• Public IP address : VNet2GWpip
• Enable active – active mode : Disabled
• Configure BGP: Disabled

Step 2: Configure the VNet-to-VNet connection

1. From the VNet1GW gateway, add a VNet-to-VNet connection VNet2GW named VNet1toVNet2.

2. Next, from the VNet2GW, add a VNet-to-VNet connection VNet1GW named VNet2toVNet1.

3. After you add the connections, you’ll see the VNet-to-VNet connections as shown in the following screenshot from the VNet2GW resource:

   

Step 3: Configure a custom IPsec/IKE policy on VNet1toVNet2

1. From the VNet1toVNet2 connection resource, go the Configuration page.

2. For IPsec / IKE policy, selectCustom show the custom policy options. Select the cryptographic algorithms with the corresponding key lengths. This policy doesn’t need match the previous policy you created for the VNet1toSite6 connection.

   Example values:

   • IKE Phase 1: AES128, SHA1, DHGroup14
   • IKE Phase 2(IPsec): GCMAES128, GCMAES128, PFS2048
   • IPsec SA Lifetime in KB: 102400000
   • IPsec SA lifetime in seconds: 14400
   • DPD timeout: 45 seconds

3. Select Save at the top of the page apply the policy changes on the connection resource.

Step 4: Configure a custom IPsec/IKE policy on VNet2toVNet1

1. Apply the same policy the VNet2toVNet1 connection, VNet2toVNet1. If you don’t, the IPsec/IKE VPN tunnel won’t connect due policy mismatch.

   Important

   Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway will only send or accept
   the IPsec/IKE proposal with specified cryptographic algorithms and key strengths on that particular
   connection. Make sure the IPsec policies for both connections are the same, otherwise the
   VNet-to-VNet connection will not establish.

2. complete steps , connection established minutes , following network topology .

   

To remove custom policy from a connection

1. To remove a custom policy from a connection, go the connection resource.
2. On the Configuration page, change the IPse /IKE policy from Custom Default. This removes all custom policy previously specified on the connection, and restore the Default IPsec/IKE settings on this connection.
3. Select Save remove the custom policy and restore the default IPsec/IKE settings on the connection.

IPsec/IKE policy FAQ

To view frequently asked questions, go the IPsec/IKE policy section of the VPN Gateway FAQ.

steps

information policy – based traffic selectors , Connect multiple – premises policy – based VPN devices .