Hello folks,
First time asking a question so please forgive me if I forgot to put enough information or formatting is wrong.
I am trying to better understand limitations of Azure S2S VPN, namely the PFS and wanted to check if someone encountered a similar situation as I did.
I have been recently looking into the topic of securing VPN phase2 (IPSec) with specific set of protocols (GCMAES256) and PFS group ECP256. I have set up a small lab environment to verify tunnel capabilities that uses Azure Virtual Hub S2S Gateway and good old Azure VNG (Standard SKU) on the other side.
Unfortunately no matter how I configure the VPN cipher settings, the IPSec PFS Group is always being shown as "None".
I have set a matching set of parameters for both phase1 and 2 on both ends of the VPN tunnel (VHG <> VNG), but even then inspecting IKE diagnostic logs shows that the negotiated tunnel is not using PFS at all (effective PFS = None).
Example of matching settings I have tried:
Phase1:
Encryption : GCMAES256
Integrity : SHA256
DH Group : ECP256
Phase2:
Encryption : GCMAES256
Integrity : GCMAES256
PFS Group : ECP256 - effective PFS for established tunnel is always "None"
I have found article *https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices* which showcases different combinations of protocols for initiator and responder. The GCMAES256 is paired with PFS Group as None for both roles, but even if I downgrade to supported AES256 / SHA256 and use PFS Group 24 or 14, the tunnel still ends up with PFS "None" in the end.
Another test that I have done was using pfSense with configured GCMAES256 for phase2 encryption and integrity along with PFS groups 14, 21 and ECP256 and leaving the Azure Virtual Hub S2S Gateway on default and later matching settings. The result was still the same - PFS negotiated to "None"
Side notes:
- The way I am gathering information on effective PFS settings for Azure VNG is via downloading SAs when the tunnel is established. For Virtual Hub Gateway I am using Azure PowerShell cmdlet that shows connected tunnel settings and double checking IKE diagnostic logs in Storage Account / LA workspace.
- I have stumbled upon a few articles from security vendors such as Fortinet that recommend to disable PFS when creating tunnel to Azure VNG. This adds to my confusion as to whether we can actually use PFS for Azure S2S VPN tunnels?
Did anyone ever encountered a similar situation? Perhaps I am reading the guidelines for ciphers compatibility incorrectly? Is there any way to make use of specific PFS group for phase2 of S2S VPN tunnel, or does it have to be "None" (at least for now)?
Thank you in advance for any tips and feedback.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 1%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC8%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)