Create and set custom IPsec policies for Point-to-Site (preview)

If your environment requires a custom IPsec policy for encryption, you can easily configure a policy object with the required settings. This article helps you create a custom policy object, and then set it using PowerShell.

Before you begin


Verify that your environment meets the following prerequisites:

  • You have a functioning point-to-site VPN already configured. If you don't, configure one using the steps the Create a point-to-site VPN article using either PowerShell, or the Azure portal.

Working with Azure PowerShell

This article uses PowerShell cmdlets. To run the cmdlets, you can use Azure Cloud Shell. Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

To open Cloud Shell, just select Try it from the upper-right corner of a code block. You can also open Cloud Shell on a separate browser tab by going to Select Copy to copy the blocks of code, paste them into Cloud Shell, and select the Enter key to run them.

1. Set variables

Declare the variables that you want to use. Use the following sample, replacing the values for your own when necessary. If you close your PowerShell/Cloud Shell session at any point during the exercise, just copy and paste the values again to redeclare the variables.

$RG = "TestRG"
$GWName = "VNet1GW"

2. Create policy object

Create a custom IPsec policy object. You can adjust the values to meet the criteria you require.

$vpnclientipsecpolicy = New-AzVpnClientIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA256 -SALifeTime 86471 -SADataSize 429496 -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup2 -PfsGroup PFS2

3. Update gateway and set policy

In this step, update your existing P2S VPN gateway and set the IPsec policy.

$gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -name $GWName
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway -VpnClientIpsecPolicy $vpnclientipsecpolicy

Next steps

For more information about P2S configurations, see About Point-to-Site VPN.