Transition to OpenVPN protocol or IKEv2 from SSTP

A point-to-site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This article applies to the Resource Manager deployment model and talks about ways to overcome the 128 concurrent connection limit of SSTP by transitioning to OpenVPN protocol or IKEv2.

What protocol does P2S use?

Point-to-site VPN can use one of the following protocols:

  • OpenVPN® Protocol, an SSL/TLS based VPN protocol. An SSL VPN solution can pass through firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 12.x and above).

  • Secure Socket Tunneling Protocol (SSTP), a proprietary SSL-based VPN protocol. An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP (Windows 7 and later). SSTP supports up to 128 concurrent connections only regardless of the gateway SKU.

  • IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).

Note

IKEv2 and OpenVPN for P2S are available for the Resource Manager deployment model only. They are not available for the classic deployment model. The Basic gateway SKU does not support IKEv2 or OpenVPN protocols. If you are using the Basic SKU, you will have to delete and recreate a production SKU virtual network gateway.

Migrating from SSTP to IKEv2 or OpenVPN

There might be cases when you want to support more than 128 concurrent P2S connection to a VPN gateway but are using SSTP. In such a case, you need to move to IKEv2 or OpenVPN protocol.

Option 1 - Add IKEv2 in addition to SSTP on the Gateway

This is the simplest option. SSTP and IKEv2 can coexist on the same gateway and give you a higher number of concurrent connections. You can simply enable IKEv2 on the existing gateway and redownload the client.

Adding IKEv2 to an existing SSTP VPN gateway won't affect existing clients and you can configure them to use IKEv2 in small batches or just configure the new clients to use IKEv2. If a Windows client is configured for both SSTP and IKEv2, it tries to connect using IKEV2 first and if that fails, it falls back to SSTP.

IKEv2 uses non-standard UDP ports so you need to ensure that these ports are not blocked on the user's firewall. The ports in use are UDP 500 and 4500.

To add IKEv2 to an existing gateway, go to the "point-to-site configuration" tab under the Virtual Network Gateway in portal, and select IKEv2 and SSTP (SSL) from the drop-down box.

Screenshot that shows the Point-to-site configuration page with the Tunnel type drop-down open, and IKEv2 and SSTP(SSL) selected.

Note

When you have both SSTP and IKEv2 enabled on the gateway, the point-to-site address pool will be statically split between the two, so clients using different protocols will be assigned IP addresses from either sub-range. Note that the maximum amount of SSTP clients is always 128, even if the address range is larger than /24 resulting in a bigger amount of addresses available for IKEv2 clients. For smaller ranges, the pool will be equally halved. Traffic Selectors used by the gateway may not include the point-to-site address range CIDR, but the two sub-range CIDRs.

Option 2 - Remove SSTP and enable OpenVPN on the Gateway

Since SSTP and OpenVPN are both TLS-based protocol, they can't coexist on the same gateway. If you decide to move away from SSTP to OpenVPN, you'll have to disable SSTP and enable OpenVPN on the gateway. This operation causes the existing clients to lose connectivity to the VPN gateway until the new profile has been configured on the client.

You can enable OpenVPN along side with IKEv2 if you desire. OpenVPN is TLS-based and uses the standard TCP 443 port. To switch to OpenVPN, go to the "point-to-site configuration" tab under the Virtual Network Gateway in portal, and select OpenVPN (SSL) or IKEv2 and OpenVPN (SSL) from the drop-down box.

Screenshot that shows the Point-to-site configuration page with Open VPN selected.

Once the gateway has been configured, existing clients won't be able to connect until you deploy and configure the OpenVPN clients.

If you're using Windows 10 or later, you can also use the Azure VPN Client.

Frequently asked questions

What are the client configuration requirements?

Note

For Windows clients, you must have administrator rights on the client device in order to initiate the VPN connection from the client device to Azure.

Users use the native VPN clients on Windows and Mac devices for P2S. Azure provides a VPN client configuration zip file that contains settings required by these native clients to connect to Azure.

  • For Windows devices, the VPN client configuration consists of an installer package that users install on their devices.
  • For Mac devices, it consists of the mobileconfig file that users install on their devices.

The zip file also provides the values of some of the important settings on the Azure side that you can use to create your own profile for these devices. Some of the values include the VPN gateway address, configured tunnel types, routes, and the root certificate for gateway validation.

Note

Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections won't be affected. If you’re using TLS for point-to-site VPNs on Windows 10 or later clients, you don’t need to take any action. If you're using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.

Which gateway SKUs support P2S VPN?

The following table shows gateway SKUs by tunnel, connection, and throughput. For additional tables and more information regarding this table, see the Gateway SKUs section of the VPN Gateway settings article.

VPN
Gateway
Generation
SKU S2S/VNet-to-VNet
Tunnels
P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGP Zone-redundant Supported Number of VMs in the Virtual Network
Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not Supported No 200
Generation1 VpnGw1 Max. 30 Max. 128 Max. 250 650 Mbps Supported No 450
Generation1 VpnGw2 Max. 30 Max. 128 Max. 500 1 Gbps Supported No 1300
Generation1 VpnGw3 Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported No 4000
Generation1 VpnGw1AZ Max. 30 Max. 128 Max. 250 650 Mbps Supported Yes 1000
Generation1 VpnGw2AZ Max. 30 Max. 128 Max. 500 1 Gbps Supported Yes 2000
Generation1 VpnGw3AZ Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported Yes 5000
Generation2 VpnGw2 Max. 30 Max. 128 Max. 500 1.25 Gbps Supported No 685
Generation2 VpnGw3 Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported No 2240
Generation2 VpnGw4 Max. 100* Max. 128 Max. 5000 5 Gbps Supported No 5300
Generation2 VpnGw5 Max. 100* Max. 128 Max. 10000 10 Gbps Supported No 6700
Generation2 VpnGw2AZ Max. 30 Max. 128 Max. 500 1.25 Gbps Supported Yes 2000
Generation2 VpnGw3AZ Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported Yes 3300
Generation2 VpnGw4AZ Max. 100* Max. 128 Max. 5000 5 Gbps Supported Yes 4400
Generation2 VpnGw5AZ Max. 100* Max. 128 Max. 10000 10 Gbps Supported Yes 9000

Note

The Basic SKU has limitations and does not support IKEv2, or RADIUS authentication.

What IKE/IPsec policies are configured on VPN gateways for P2S?

IKEv2

Cipher Integrity PRF DH Group
GCM_AES256 GCM_AES256 SHA384 GROUP_24
GCM_AES256 GCM_AES256 SHA384 GROUP_14
GCM_AES256 GCM_AES256 SHA384 GROUP_ECP384
GCM_AES256 GCM_AES256 SHA384 GROUP_ECP256
GCM_AES256 GCM_AES256 SHA256 GROUP_24
GCM_AES256 GCM_AES256 SHA256 GROUP_14
GCM_AES256 GCM_AES256 SHA256 GROUP_ECP384
GCM_AES256 GCM_AES256 SHA256 GROUP_ECP256
AES256 SHA384 SHA384 GROUP_24
AES256 SHA384 SHA384 GROUP_14
AES256 SHA384 SHA384 GROUP_ECP384
AES256 SHA384 SHA384 GROUP_ECP256
AES256 SHA256 SHA256 GROUP_24
AES256 SHA256 SHA256 GROUP_14
AES256 SHA256 SHA256 GROUP_ECP384
AES256 SHA256 SHA256 GROUP_ECP256
AES256 SHA256 SHA256 GROUP_2

IPsec

Cipher Integrity PFS Group
GCM_AES256 GCM_AES256 GROUP_NONE
GCM_AES256 GCM_AES256 GROUP_24
GCM_AES256 GCM_AES256 GROUP_14
GCM_AES256 GCM_AES256 GROUP_ECP384
GCM_AES256 GCM_AES256 GROUP_ECP256
AES256 SHA256 GROUP_NONE
AES256 SHA256 GROUP_24
AES256 SHA256 GROUP_14
AES256 SHA256 GROUP_ECP384
AES256 SHA256 GROUP_ECP256
AES256 SHA1 GROUP_NONE

What TLS policies are configured on VPN gateways for P2S?

TLS

Policies
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
**TLS_AES_256_GCM_SHA384
**TLS_AES_128_GCM_SHA256

**Only supported on TLS1.3 with OpenVPN

How do I configure a P2S connection?

A P2S configuration requires quite a few specific steps. The following articles contain the steps to walk you through P2S configuration, and links to configure the VPN client devices:

Next steps

"OpenVPN" is a trademark of OpenVPN Inc.