Valid remote network configurations for custom and default configurations

Device links are the physical routers that connect your remote networks, such as branch locations, to Global Secure Access. There's a specific set of combinations you must use if you choose the Custom option when adding device links. If you choose the Default option, you must enter a specific combination of properties on the customer premises equipment (CPE).

Custom and default details

The available regions, device types, autonomous system number (ASN), and border gateway protocol (BGP) addresses are used in both the default and custom configurations.

Available device options

  • barracudaNetworks
  • checkPoint
  • ciscoMeraki
  • citrix
  • fortinet
  • hpeAruba
  • netFoundry
  • nuage
  • openSystems
  • paloAltoNetworks
  • riverbedTechnology
  • silverPeak
  • vmWareSdWan
  • versa

Valid regions where remote networks can be created

Europe Middle East Africa (EMEA) Asia Pacific (APAC) Latin America (LATAM) North America (NA)
franceCentral australiaEast brazilSouth canadaCentral
franceSouth australiaSouthEast canadaEast
germanyWestCentral centralIndia centralUS
israelCentral japanEast eastUS
italyNorth japanWest northCentralUS
northEurope koreaCentral southCentralUS
polandCentral koreaSouth westCentralUS
southAfricaNorth southEastAsia westUS
southAfricaWest southIndia westUS2
swedenCentral westUS3
switzerlandNorth
uaeNorth
ukSouth
westEurope

Valid ASN

You can use any 2-byte values (between 1 to 65534) except for the following reserved ASNs:

  • Azure reserved ASNs: 12076, 65517, 65518, 65519, 65520, 8076, 8075
  • IANA reserved ASNs: 23456, >= 64496 && <= 64511, >= 65535 && <= 65551, 4294967295
  • 65476

Valid BGP addresses

You can use any BGP address except for the following addresses:

  • 0.0.0.0/32
  • 127.0.0.0/8
  • 224.0.0.0/4
  • 255.255.255.255/32

Default IPSec/IKE configurations

When you select Default as your IPsec/IKE policy when configuring remote network device links in the Microsoft Entra admin center, we expect the following combinations in the tunnel handshake. Each value in the combination is entered on your CPE.

Important

You must specify both a Phase 1 and Phase 2 combination on your CPE.

IKE Phase 1 combinations

Properties Combination 1 Combination 2 Combination 3 Combination 4
IKE encryption GCMAES256 GCMAES128 AES256 AES128
IKE integrity SHA384 SHA256 SHA384 SHA256
DH group DHGroup24 DHGroup24 DHGroup24 DHGroup24

IKE Phase 2 combinations

Properties Combination 1 Combination 2 Combination 3
IPSec encryption GCMAES256 GCMAES192 GCMAES128
IPSec integrity GCMAES256 GCMAES192 GCMAES128
PFS Group None None None

Custom IPSec/IKE combinations

When you select Custom as IPSec/IKE configuration when configuring remote network device links in the Microsoft Entra admin center, you must use one of the following combinations.

IKE Phase 1 combinations

There no limitations for the IKE phase 1 combinations. Any mix and match of encryption, integrity, and DH group is valid.

IKE Phase 2 combinations

The IPSec encryption and integrity configurations are provided in the following table:

IPSec encryption IPSec integrity
GCMAES128 GCMAES128
GCMAES192 GCMAES192
GCMAES256 GCMAES256
None SHA256
  • PFS group - No limitation.
  • SA lifetime - must be >300 seconds.

Valid enums

The following values can be used for the IKE, IPSec, DH group, and PFS group properties.

IKE encryption

Value Enum
AES128 0
AES192 1
AES256 2
GCMAES128 3
GCMAES256 4

IKE integrity

Value Enum
SHA256 0
SHA384 1
GCMAES256 2
GCMAES256 3

DH group

Value Enum
DHGroup14 0
DHGroup2048 1
ECP256 2
ECP384 3
DHGroup24 4

IPSec encryption

Value Enum
GCMAES128 0
GCMAES192 1
GCMAES256 2
None 3

IPSec integrity

Value Enum
GCMAES128 0
GCMAES192 1
GCMAES256 2
SHA256 3

PFS group

Value Enum
PFS1 0
None 1
PFS2 2
PFS2048 3
ECP256 4
ECP384 5
PFSMM 6
PFS24 7
PFS14 8