Site-to-site IPsec policies
This article shows the supported IPsec policy combinations.
Default IPsec policies
Note
When working with Default policies, Azure can act as both initiator and responder during an IPsec tunnel setup. While Virtual WAN VPN supports many algorithm combinations, our recommendation is GCMAES256 for both IPSEC Encryption and Integrity for optimal performance. AES256 and SHA256 are considered less performant and therefore performance degradation such as latency and packet drops can be expected for similar algorithm types. For more information about Virtual WAN, see the Azure Virtual WAN FAQ.
Initiator
The following sections list the supported policy combinations when Azure is the initiator for the tunnel.
Phase-1
- AES_256, SHA1, DH_GROUP_2
- AES_256, SHA_256, DH_GROUP_2
- AES_128, SHA1, DH_GROUP_2
- AES_128, SHA_256, DH_GROUP_2
Phase-2
- GCM_AES_256, GCM_AES_256, PFS_NONE
- AES_256, SHA_1, PFS_NONE
- AES_256, SHA_256, PFS_NONE
- AES_128, SHA_1, PFS_NONE
Responder
The following sections list the supported policy combinations when Azure is the responder for the tunnel.
Phase-1
- AES_256, SHA1, DH_GROUP_2
- AES_256, SHA_256, DH_GROUP_2
- AES_128, SHA1, DH_GROUP_2
- AES_128, SHA_256, DH_GROUP_2
Phase-2
- GCM_AES_256, GCM_AES_256, PFS_NONE
- AES_256, SHA_1, PFS_NONE
- AES_256, SHA_256, PFS_NONE
- AES_128, SHA_1, PFS_NONE
- AES_256, SHA_1, PFS_1
- AES_256, SHA_1, PFS_2
- AES_256, SHA_1, PFS_14
- AES_128, SHA_1, PFS_1
- AES_128, SHA_1, PFS_2
- AES_128, SHA_1, PFS_14
- AES_256, SHA_256, PFS_1
- AES_256, SHA_256, PFS_2
- AES_256, SHA_256, PFS_14
- AES_256, SHA_1, PFS_24
- AES_256, SHA_256, PFS_24
- AES_128, SHA_256, PFS_NONE
- AES_128, SHA_256, PFS_1
- AES_128, SHA_256, PFS_2
- AES_128, SHA_256, PFS_14
SA Lifetime Values
These life time values apply for both initiator and responder
- SA Lifetime in seconds: 3600 seconds
- SA Lifetime in Bytes: 102,400,000 KB
Custom IPsec policies
When working with custom IPsec policies, keep in mind the following requirements:
- IKE - For IKE, you can select any parameter from IKE Encryption, plus any parameter from IKE Integrity, plus any parameter from DH Group.
- IPsec - For IPsec, you can select any parameter from IPsec Encryption, plus any parameter from IPsec Integrity, plus PFS. If any of the parameters for IPsec Encryption or IPsec Integrity is GCM, then the parameters for both settings must be GCM.
The default custom policy includes SHA1, DHGroup2, and 3DES for backward compatibility. These are weaker algorithms that aren't supported when creating a custom policy. We recommend only using the following algorithms:
Available settings and parameters
| Setting | Parameters |
|---|---|
| IKE Encryption | GCMAES256, GCMAES128, AES256, AES128 |
| IKE Integrity | SHA384, SHA256 |
| DH Group | ECP384, ECP256, DHGroup24, DHGroup14 |
| IPsec Encryption | GCMAES256, GCMAES128, AES256, AES128, None |
| IPsec Integrity | GCMAES256, GCMAES128, SHA256 |
| PFS Group | ECP384, ECP256, PFS24, PFS14, None |
| SA Lifetime | integer; min. 300/ default 3600 seconds |
Next steps
For steps to configure a custom IPsec policy, see Configure a custom IPsec policy for Virtual WAN.
For more information about Virtual WAN, see About Azure Virtual WAN and the Azure Virtual WAN FAQ.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for