- Article
- 08/30/2022
- 8 minutes to read
A VPN device is required to configure a Site-to-Site (S2S) cross-premises VPN connection using a VPN gateway. Site-to-Site connections can be used to create a hybrid solution, or whenever you want secure connections between your on-premises networks and your virtual networks. This article provides a list of validated VPN devices and a list of IPsec/IKE parameters for VPN gateways.
Important
If you are experiencing connectivity issues between your on-premises VPN devices and VPN gateways, refer to Known device compatibility issues.
(Video) Azure VPN & Azure VPN Gateway
Items to note when viewing the tables:
- There has been a terminology change for Azure VPN gateways. Only the names have changed. There is no functionality change.
- Static Routing = PolicyBased
- Dynamic Routing = RouteBased
- Specifications for HighPerformance VPN gateway and RouteBased VPN gateway are the same, unless otherwise noted. For example, the validated VPN devices that are compatible with RouteBased VPN gateways are also compatible with the HighPerformance VPN gateway.
Validated VPN devices and device configuration guides
In partnership with device vendors, we have validated a set of standard VPN devices. All of the devices in the device families in the following list should work with VPN gateways. See About VPN Gateway Settings to understand the VPN type use (PolicyBased or RouteBased) for the VPN Gateway solution you want to configure.
To help configure your VPN device, refer to the links that correspond to the appropriate device family. The links to configuration instructions are provided on a best-effort basis. For VPN device support, contact your device manufacturer.
Note
(*) Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with “UsePolicyBasedTrafficSelectors” option. Refer to this how-to article.
(Video) Azure VPN Gateway Overview
(**) ISR 7200 Series routers only support PolicyBased VPNs.
Download VPN device configuration scripts from Azure
For certain devices, you can download configuration scripts directly from Azure. For more information and download instructions, see Download VPN device configuration scripts.
Devices with available configuration scripts
| Vendor | Device family | Firmware version |
|---|---|---|
| Cisco | ISR | IOS 15.1 (Preview) |
| Cisco | ASA | ASA ( * ) RouteBased (IKEv2- No BGP) for ASA below 9.8 |
| Cisco | ASA | ASA RouteBased (IKEv2 – No BGP) for ASA 9.8+ |
| Juniper | SRX_GA | 12.x |
| Juniper | SSG_GA | ScreenOS 6.2.x |
| Juniper | JSeries_GA | JunOS 12.x |
| Juniper | SRX | JunOS 12.x RouteBased BGP |
| Ubiquiti | EdgeRouter | EdgeOS v1.10x RouteBased VTI |
| Ubiquiti | EdgeRouter | EdgeOS v1.10x RouteBased BGP |
Note
( * ) Required: NarrowAzureTrafficSelectors (enable UsePolicyBasedTrafficSelectors option) and CustomAzurePolicies (IKE/IPsec)
(Video) Azure Virtual Network Gateway | Azure VPN Gateway | Point to Site VPN Demo
Non-validated VPN devices
If you don’t see your device listed in the Validated VPN devices table, your device still may work with a Site-to-Site connection. Contact your device manufacturer for additional support and configuration instructions.
Editing device configuration samples
After you download the provided VPN device configuration sample, you’ll need to replace some of the values to reflect the settings for your environment.
To edit a sample:
- Open the sample using Notepad.
- Search and replace all strings with the values that pertain to your environment. Be sure to include < and >. When a name is specified, the name you select should be unique. If a command doesn’t work, consult your device manufacturer documentation.
| Sample text | Change to |
|---|---|
| Your chosen name for this object. Example: myOnPremisesNetwork | |
| Your chosen name for this object. Example: myAzureNetwork | |
| Your chosen name for this object. Example: myAzureAccessList | |
| Your chosen name for this object. Example: myIPSecTransformSet | |
| Your chosen name for this object. Example: myIPSecCryptoMap | |
| Specify range. Example: 192.168.0.0 | |
| Specify subnet mask. Example: 255.255.0.0 | |
| Specify on-premises range. Example: 10.2.1.0 | |
| Specify on-premises subnet mask. Example: 255.255.255.0 | |
| This information specific to your virtual network and is located in the Management Portal as Gateway IP address. | |
| This information is specific to your virtual network and is located in the Management Portal as Manage Key. |
Default IPsec/IKE parameters
The tables below contain the combinations of algorithms and parameters Azure VPN gateways use in default configuration (Default policies). For route-based VPN gateways created using the Azure Resource Management deployment model, you can specify a custom policy on each individual connection. Refer to Configure IPsec/IKE policy for detailed instructions.
Additionally, you must clamp TCP MSS at 1350. Or if your VPN devices don’t support MSS clamping, you can alternatively set the MTU on the tunnel interface to 1400 bytes instead.
In the following tables:
(Video) Azure Site-to-Site VPN quick setup
- SA = Security Association
- IKE Phase 1 is also called “Main Mode”
- IKE Phase 2 is also called “Quick Mode”
IKE Phase 1 (Main Mode) parameters
| Property | PolicyBased | RouteBased |
|---|---|---|
| IKE Version | IKEv1 | IKEv1 and IKEv2 |
| Diffie-Hellman Group | Group 2 (1024 bit) | Group 2 (1024 bit) |
| Authentication Method | Pre-Shared Key | Pre-Shared Key |
| Encryption & Hashing Algorithms | 1. AES256, SHA2562. AES256, SHA13. AES128, SHA1
4. 3DES, SHA1 |
1. AES256, SHA12. AES256, SHA2563. AES128, SHA14. AES128, SHA2565. 3DES, SHA1
6. 3DES, SHA256 |
| SA Lifetime | 28,800 seconds | 28,800 seconds |
IKE Phase 2 (Quick Mode) parameters
| Property | PolicyBased | RouteBased |
|---|---|---|
| IKE Version | IKEv1 | IKEv1 and IKEv2 |
| Encryption & Hashing Algorithms | 1. AES256, SHA2562. AES256, SHA13. AES128, SHA1
4. 3DES, SHA1 |
RouteBased QM SA Offers |
| SA Lifetime (Time) | 3,600 seconds | 27,000 seconds |
| SA Lifetime (Bytes) | 102,400,000 KB | 102,400,000 KB |
| Perfect Forward Secrecy (PFS) | No | RouteBased QM SA Offers |
| Dead Peer Detection (DPD) | Not supported | Supported |
RouteBased VPN IPsec Security Association (IKE Quick Mode SA) Offers
The following table lists IPsec SA (IKE Quick Mode) Offers. Offers are listed the order of preference that the offer is presented or accepted.
Azure Gateway as initiator
| – | Encryption | Authentication | PFS Group |
|---|---|---|---|
| 1 | GCM AES256 | GCM (AES256) | None |
| 2 | AES256 | SHA1 | None |
| 3 | 3DES | SHA1 | None |
| 4 | AES256 | SHA256 | None |
| 5 | AES128 | SHA1 | None |
| 6 | 3DES | SHA256 | None |
Azure Gateway as responder
| – | Encryption | Authentication | PFS Group |
|---|---|---|---|
| 1 | GCM AES256 | GCM (AES256) | None |
| 2 | AES256 | SHA1 | None |
| 3 | 3DES | SHA1 | None |
| 4 | AES256 | SHA256 | None |
| 5 | AES128 | SHA1 | None |
| 6 | 3DES | SHA256 | None |
| 7 | DES | SHA1 | None |
| 8 | AES256 | SHA1 | 1 |
| 9 | AES256 | SHA1 | 2 |
| 10 | AES256 | SHA1 | 14 |
| 11 | AES128 | SHA1 | 1 |
| 12 | AES128 | SHA1 | 2 |
| 13 | AES128 | SHA1 | 14 |
| 14 | 3DES | SHA1 | 1 |
| 15 | 3DES | SHA1 | 2 |
| 16 | 3DES | SHA256 | 2 |
| 17 | AES256 | SHA256 | 1 |
| 18 | AES256 | SHA256 | 2 |
| 19 | AES256 | SHA256 | 14 |
| 20 | AES256 | SHA1 | 24 |
| 21 | AES256 | SHA256 | 24 |
| 22 | AES128 | SHA256 | None |
| 23 | AES128 | SHA256 | 1 |
| 24 | AES128 | SHA256 | 2 |
| 25 | AES128 | SHA256 | 14 |
| 26 | 3DES | SHA1 | 14 |
- You can specify IPsec ESP NULL encryption with RouteBased and HighPerformance VPN gateways. Null based encryption doesn’t provide protection to data in transit, and should only be used when maximum throughput and minimum latency is required. Clients may choose to use this in VNet-to-VNet communication scenarios, or when encryption is being applied elsewhere in the solution.
- For cross-premises connectivity through the Internet, use the default Azure VPN gateway settings with encryption and hashing algorithms listed in the tables above to ensure security of your critical communication.
Known device compatibility issues
Feb. 16, 2017
Palo Alto Networks devices with version prior to 7.1.4 for Azure route-based VPN: If you’re using VPN devices from Palo Alto Networks with PAN-OS version prior to 7.1.4 and are experiencing connectivity issues to Azure route-based VPN gateways, perform the following steps:
(Video) Azure: Connecting Networks with a Site-to-Site VPN
- Check the firmware version of your Palo Alto Networks device. If your PAN-OS version is older than 7.1.4, upgrade to 7.1.4.
- On the Palo Alto Networks device, change the Phase 2 SA (or Quick Mode SA) lifetime to 28,800 seconds (8 hours) when connecting to the Azure VPN gateway.
- If you’re still experiencing connectivity issues, open a support request from the Azure portal.
Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
What type of VPN connections can you create in Azure? ›
After you create a VPN gateway, you can create an IPsec/IKE VPN tunnel connection between that VPN gateway and another VPN gateway (VNet-to-VNet), or create a cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device (Site-to-Site).
What are the different kinds of connectivity used by VPN gateway? › The following cross-premises virtual network gateway connections are supported:
- Site-to-site: VPN connection over IPsec (IKE v1 and IKE v2). …
- Point-to-site: VPN connection over SSTP (Secure Socket Tunneling Protocol) or IKE v2. …
- VNet-to-VNet: This type of connection is the same as a site-to-site configuration.
A VPN appliance, also known as a VPN gateway appliance, is a network device with enhanced security features. Also known as an SSL VPN appliance, it is a router that provides protection, authorization, authentication and encryption for VPNs.
How does Azure VPN gateway work? ›
Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
What type of IP address is supported on Azure VPN gateways? ›
Each virtual network can have only one VPN gateway. VPN gateway supports standard and basic SKU public IP addresses depending on the SKU of the VPN gateway. Public IP prefixes aren’t supported.
How do I connect to Azure VPN gateway? › You must have Administrator rights on the client computer from which you are connecting.
- On the client computer, go to VPN settings.
- Select the VPN that you created. …
- Select Connect.
- In the Windows Azure Virtual Network box, select Connect. …
- When your connection succeeds, you’ll see a Connected notification.
What port does Azure VPN gateway use? ›
Guidance: Azure VPN supports standard IPsec/IKE protocols: UDP ports 500 and 4500. ESP protocol.
Which 3 protocols are used by VPN? ›
- PPTP. Point-to-Point Tunneling Protocol is one of the oldest VPN protocols in existence. …
- L2TP/IPSec. Layer 2 Tunnel Protocol is a replacement of the PPTP VPN protocol. …
- OpenVPN. OpenVPN is an open source protocol that allows developers access to its underlying code. …
- SSTP. …
- IKEv2.
What are 3 types of VPN tunnels? › We’ll look at three of the most common: IPsec tunnels, Dynamic multi point VPNs, and MPLS-based L3VPNs.
- IPsec Tunnels. In principle, a network-based VPN tunnel is no different from a client-based IPsec tunnel. …
- Dynamic Multi point VPN (DMVPN) …
- MPLS-based L3VPN.
What are 2 attributes of a VPN service? ›
What Are the Features of Good VPN Products? A good VPN service should have excellent security, a no-logs policy and a large, widespread server network. Security features, like a kill switch and leak protection, should be your main priority.
How many maximum number of VPN gateways can be created for the VNet? ›
Each VNet can have only one VPN gateway.
What are the three components of Azure? ›
A wide range of Microsoft’s software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) products are hosted on Azure. Azure offers three core areas of functionality; Virtual Machines, cloud services, and app services.
What devices should be on VPN? ›
Using a VPN is an easy way of unlocking restricted content, accessing streaming sites, and staying safe and anonymous while doing so. iPhones, Androids, Windows and Mac laptops, games consoles, or smart TVs – all these devices can use a VPN. So why not save by covering all these devices at once?
VPN hardware is a virtual private network based on a single, stand-alone device. The device, which contains a dedicated processor, manages authentication, encryption, and other VPN functions. This VPN offers high levels of security, but is expensive and costly to scale.
How many devices does a VPN cover? ›
VPN providers offer anywhere from one to six connections at the same time.
Can you ping Azure VPN gateway? ›
A Virtual Network Gateway is required to setup a VPN between 2 sites either Azure and on-premise or 2 Azure vnets for secure connection between the same. Therefore, the VPN Gateway is only accessible on certain ports and may not respond to Ping or other ports/protocols.
What is VPN gateway IP address? ›
The IP address of a VPN gateway is usually the IP address of the network interface that connects to the Internet. You can also define a secondary IP address for the interface, and use that address as the local VPN gateway address, so that your existing setup is not affected by the VPN settings.
How do I monitor my Azure VPN gateway? ›
To analyze logs, go to your virtual network gateway. In the Essentials section of the page, select Logs -> View in Azure Monitor.
What are the 5 IP addresses reserved by Azure? › Azure reserves the first four and last IP address for a total of 5 IP addresses within each subnet. For example, the IP address range of 192.168….
1.0/24 has the following reserved addresses:
- 1.0 : Network address.
- 1.1 : Reserved by Azure for the default gateway.
- 1.2, 192.168. …
- 1.255 : Network broadcast address.
Does Azure VPN gateway require public IP? ›
So there is no need to know the public IP since Azure VPN does not connect like a typical VPN where you can use the gateway to route default or address based destination, one may think but is just a VPN tunnel to infrastructure to Azure Cloud and on-premises that are connected to Azure Gateway nothing beyond that.
What are the types of Azure virtual network gateway? ›
Virtual Networks In Microsoft Azure: VNet Peering, ExpressRoute, VPN Gateway.
What is the difference between an Azure VPN gateway and an Azure virtual WAN? ›
How is Virtual WAN different from an Azure virtual network gateway? A virtual network gateway VPN is limited to 30 tunnels. For connections, you should use Virtual WAN for large-scale VPN. You can connect up to 1,000 branch connections per virtual hub with aggregate of 20 Gbps per hub.
Is Azure Application Gateway a proxy? ›
Let’s start with something relatively easy: Azure Application Gateway is an Azure reverse proxy with optional WAF functionality that can be deployed in Azure Virtual Networks (also known as VNets).
Internet Key Exchange version 2 (IKEv2) is a tunneling protocol based on IPsec, which allows for secure VPN communication between VPN devices. It defines the negotiation and authentication process for IPsec security associations (SAs).
What is Azure gateway subnet? ›
About the gateway subnet
The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.
A VLAN (Layer 2 network) is created for each Private Cloud. The Layer 2 traffic stays within the boundary of a Private Cloud, allowing you to isolate the local traffic within the Private Cloud. A VLAN created on the Private Cloud can be used to create distributed port groups only in that Private Cloud.
How do you do a packet capture on Azure VPN gateway? › To get the SAS Uri, navigate to the required storage account and generate a SAS token and URL with the correct permissions.
- Copy the Blob SAS URL as it will be needed in the next step.
- Navigate to the VPN Gateway Packet Capture blade in the Azure portal and clicking the Stop Packet Capture button.
What are the 4 main types of VPN? › Types of Virtual Private Network (VPN) Protocols:
- Internet Protocol Security (IPSec): Internet Protocol Security, known as IPSec, is used to secure Internet communication across an IP network. …
- Layer 2 Tunneling Protocol (L2TP): …
- Point–to–Point Tunneling Protocol (PPTP): …
- SSL and TLS: …
- OpenVPN: …
- Secure Shell (SSH):
What is a VPN connection name? ›
In the Connection name box, enter a name you’ll recognize (for example, My Personal VPN). This is the VPN connection name you’ll look for when connecting. In the Server name or address box, enter the address for the VPN server.
Can you have 2 VPN connections? ›
In most cases, the answer is no because the VPN software generally supports only one connection at a time. Installing a second instance of VPN software and an additional network interface card probably won’t work, as the VPN clients may overlap and interfere with each other.
Which OSI layer is used by VPN? ›
To secure the connection between the user’s client and the company’s server, a VPN is applied. VPNs can be designed based on communication taking place on Layer 3, the net- work layer, in the Open Systems Interconnection model (OSI model), or on Layer 4, the transport layer.
What ports are used for VPN? ›
The default protocol and port for Mobile VPN with SSL is TCP port 443, which is usually open on most networks.
OpenVPN is an open-source VPN protocol used by many leading VPN providers, including NordVPN. TCP is more reliable, but there are many uses where UDP is preferred and this is usually the default protocol on most VPN services. UDP is a great option if you are gaming, streaming or using VoIP services.
What is the difference between VPN and VPN tunnel? ›
What is a VPN tunnel? A VPN is a secure, encrypted connection over a publicly shared network. Tunneling is the process by which VPN packets reach their intended destination, which is typically a private network.
Layer 2 VPNs virtualize the datalink layer (Layer 2) so as to make geographically remote sites look as if they were operating in the same LAN network. Layer 3 VPNs virtualize the network layer (Layer 3) so as to route your customer networks over a public infrastructure like Internet or Service provider backbone.
What are the 4 main benefits of using a VPN? › Here are some of the key advantages of a VPN for both home and professional use:
- Bypass Geo-locked Content. Many popular entertainment websites have different content accessible in specific regions. …
- Provide Safety Through Anonymity. …
- Save Money on Region-Based eCommerce. …
- Cost-Effective Security. …
- Gaming Pros.
How many types are there in VPN? ›
Virtual Private Network (VPN) services fall into four main types: personal VPNs, remote access VPNs, mobile VPNs, and site-to-site VPNs.
What are the basic functions of VPN? ›
VPN stands for virtual private network. In basic terms, a VPN provides an encrypted server and hides your IP address from corporations, government agencies and would-be hackers. A VPN protects your identity even if you are using public or shared Wi-Fi, and your data will be kept private from any prying internet eyes.
Can you have multiple VPN gateways Azure? ›
Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.
How many instances a VPN gateway has? ›
About VPN gateway redundancy
Every Azure VPN gateway consists of two instances in an active-standby configuration.
How many VNet can be created in Azure? ›
Virtual Network in Azure is free of charge. Every subscription can create up to 50 Virtual Networks across all regions. VNET Peering links two virtual networks – either in the same region or in different regions – and enables you to route traffic between them using private IP addresses (carry a nominal charge).
What are the 3 main identity types used in Azure AD? › Azure AD manages different types of identities:
- User. User identity is a representation of something that’s Azure AD manages. …
- Service principal. A service principal is a secure identity that enables an application or service to access Azure resources. …
- Managed identity. …
- Device.
How many types of Azure are there? ›
There are five storage types available in Microsoft Azure divided into two groups. The first group, which includes Queue Storage, Table Storage, and Blob Storage is designed with file storage, scalability, and communication in mind and is accessible via REST API.
What are the 4 service categories provided by Microsoft Azure? ›
In addition, Azure offers four different forms of cloud computing: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and serverless functions.
How do I use Azure VPN? › You must have Administrator rights on the client computer from which you are connecting.
- On the client computer, go to VPN settings.
- Select the VPN that you created. …
- Select Connect.
- In the Windows Azure Virtual Network box, select Connect. …
- When your connection succeeds, you’ll see a Connected notification.
Do you need a VPN for Azure AD? ›
Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.
- In the Azure portal, go to your virtual network gateway.
- On the page for your virtual network gateway, click Connections. You can see the status of each connection.
- Click the name of the connection that you want to verify. In Essentials, you can view more information about your connection.
A virtual private network (VPN) connection on your Windows 10 PC can help provide a more secure connection and access to your company’s network and the internet—for example, when you’re working in a public location such as a coffee shop, library, or airport.
How do I create a VPN gateway in Azure? › The following diagram shows the virtual network and the VPN gateway created as part of this tutorial.
- Prerequisites. An Azure account with an active subscription. …
- Create a virtual network. …
- Create a VPN gateway. …
- View the public IP address. …
- Resize a gateway SKU. …
- Reset a gateway. …
- Clean up resources. …
- Next steps.
What is active active VPN Azure? ›
Active-active VPN gateways
In this configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection.
How do I setup my Azure VPN client? ›
- Navigate to the virtual network gateway.
- Click Point-to-Site configuration.
- Click Download VPN client.
- Select the client and fill out any information that is requested.
- Click Download to generate the . zip file.
- The . zip file will download, typically to your Downloads folder.
What is the IP address of Azure? ›
IP address 168.63. 129.16 is a virtual public IP address that is used to facilitate a communication channel to Azure platform resources. Customers can define any address space for their private virtual network in Azure.
What is VPN mainly used for? ›
VPN stands for virtual private network. In basic terms, a VPN provides an encrypted server and hides your IP address from corporations, government agencies and would-be hackers. A VPN protects your identity even if you are using public or shared Wi-Fi, and your data will be kept private from any prying internet eyes.
What Is a Server Name Or Address? The VPN server address also called the VPN server location, is the specific location of the VPN server. The address can be an IP address or a domain name. to connect to a server using a VPN client, you will need to know the server address.
What is the main benefit of VPN? ›
VPNs allow users to hide their network information and safely browse the web no matter their location. While not always ideal, the use of a VPN is often the most affordable and secure way to protect oneself online.
Videos
1. #Azure #VPN #Gateway #Connections (Cloudakshay | Cloud Devops) 2. Explain By Example: VPN Gateway or ExpressRoute 3. Microsoft Azure Point-To-Site VPN Configuration (Connectivity for Mobile/Remote Users) 4. Azure Networking – #10 – AAD VPN 5. Connect your on premises network to Azure with VPN Gateway 6. Connectivity into Azure Cloud using VPN and Express Route
Author: Edwin Metz
Last Updated: 03/19/2023
Views: 5601
Rating: 4.8 / 5 (58 voted)
Reviews: 89% of readers found this page helpful
Name: Edwin Metz
Birthday: 1997-04-16
Address: 51593 Leanne Light, Kuphalmouth, DE 50012-5183
Phone: +639107620957
Job: Corporate Banking Technician
Hobby: Reading, scrapbook, role-playing games, Fishing, Fishing, Scuba diving, Beekeeping
Introduction: My name is Edwin Metz, I am a fair, energetic, helpful, brave, outstanding, nice, helpful person who loves writing and wants to share my knowledge and understanding with you.
© 2023 Soviti. All Rights Reserved.