Point-to-site IPsec policies
This article shows the supported IPsec policy combinations for Point-to-site VPN connectivity in Azure Virtual WAN.
Default IPsec policies
The following table shows the default IPsec parameters for Point-to-site VPN connections. These parameters are automatically chosen by the Virtual WAN Point-to-site VPN gateway when a Point-to-site profile is created.
| Setting | Parameters |
|---|---|
| Phase 1 IKE Encryption | AES256 |
| Phase 1 IKE Integrity | SHA256 |
| DH Group | DHGroup24 |
| Phase 2 IPsec Encryption | GCMAES256 |
| Phase 2 IPsec Integrity | GCMAES256 |
| PFS Group | PFS24 |
Custom IPsec policies
When working with custom IPsec policies, keep in mind the following requirements:
- IKE - For Phase 1 IKE, you can select any parameter from IKE Encryption, plus any parameter from IKE Integrity, plus any parameter from DH Group.
- IPsec - For Phase 2 IPsec, you can select any parameter from IPsec Encryption, plus any parameter from IPsec Integrity, plus PFS. If any of the parameters for IPsec Encryption or IPsec Integrity is GCM, then both IPsec Encryption and Integrity must use the same algorithm. For example, if GCMAES128 is chosen for IPsec Encryption, GCMAES128 must also be chosen for IPsec Integrity.
The following table shows the available IPsec parameters for Point-to-site VPN connections.
| Setting | Parameters |
|---|---|
| Phase 1 IKE Encryption | AES128, AES256, GCMAES128, GCMAES256 |
| Phase 1 IKE Integrity | SHA256, SHA384 |
| DH Group | DHGroup14, DHGroup24, ECP256, ECP384 |
| Phase 2 IPsec Encryption | GCMAES128, GCMAES256, SHA256 |
| Phase 2 IPsec Integrity | GCMAES128, GCMAES256 |
| PFS Group | PFS14, PFS24, ECP256, ECP384 |
Next steps
See How to create a point-to-site connection
For more information about Virtual WAN, see the Virtual WAN FAQ.