Basic VPN Gateway and Custom IPsec/IKE policy not supported

Joe Deally 1 Reputation point
2021-05-25T08:54:33.547+00:00

Cisco have removed Diffie-Hellman Group 2 (see below) but Microsoft Azure VPN Basic Gateway utilizes Diffie-Hellman Group 2 by default for Site2Site VPN. As a result you need to setup a custom IPSEC/IKE policy which is not supported in the Basic VPN Gateway SKU which would require upgrading to at least the next SKU ( VpnGW1). The issue I have is the VPN is to connect to a single virtual machine in Azure, the basic VPN is approx. £20 per month while the next model is approx. £104 per month which is more expensive that the VM itself. Has anyone come across this and is there any workaround ? I can't see how I can recommend migrating a single VM into Azure with a Site2Site VPN with the cost.

Diffie-Hellman GROUP 5 is deprecated for IKEv1 and removed for IKEv2

Diffie-Hellman groups 2 and 24 have been removed.

Encryption algorithms: 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256 have been removed.
Custom IPsec/IKE policy is supported on all Azure SKUs except the Basic SKU.*

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,796 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. msrini-MSFT 9,291 Reputation points Microsoft Employee
    2021-06-03T18:54:08.607+00:00

    @Anonymous ,

    If you feel Azure VPN gateway is costly, then you can go with any NVAs like Cisco which you can deploy in Azure and configure it to form a tunnel between Azure and On-Prem.

    There you will not get any issues with the IKE policies.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.