Create and set custom IPsec policies for point-to-site connections
If your point-to-site (P2S) VPN environment requires a custom IPsec policy for encryption, you can easily configure a policy object with the required settings. This article helps you create a custom policy object, and then set it using PowerShell.
Before you begin
Prerequisites
Verify that you have a functioning point-to-site VPN already configured. If you don't, configure one using the steps the Create a point-to-site VPN article using either PowerShell, or the Azure portal.
Working with Azure PowerShell
This article uses PowerShell cmdlets. To run the cmdlets, you can use Azure Cloud Shell. Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
To open Cloud Shell, just select Open Cloudshell from the upper-right corner of a code block. You can also open Cloud Shell on a separate browser tab by going to https://shell.azure.com/powershell. Select Copy to copy the blocks of code, paste them into Cloud Shell, and select the Enter key to run them.
Create and set a policy
Declare the variables that you want to use. Use the following sample, replacing the values for your own when necessary. If you close your PowerShell/Cloud Shell session at any point during the exercise, just copy and paste the values again to redeclare the variables.
$RG = "TestRG" $GWName = "VNet1GW"
Create a custom IPsec policy object. Adjust the values in the example to meet your requirements.
$vpnclientipsecpolicy = New-AzVpnClientIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA256 -SALifeTime 86471 -SADataSize 429496 -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup2 -PfsGroup PFS2
Update your existing P2S VPN gateway and set the IPsec policy.
$gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -name $GWName Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway -VpnClientIpsecPolicy $vpnclientipsecpolicy
Next steps
For more information about P2S configurations, see About point-to-site VPN.