다음을 통해 공유

Azure Cross-Premises VPN Configuration Information

  • 아티클

Putting together a list from comments at http://www.windowsazure.com/en-us/manage/services/networking/cross-premises-connectivity/ that will hopefully help with configuration for other VPN gateway devices when configuring the VPN information needed to connect on premises networks to Azure.

Phase 1 security association for the VPN connection is 8 hours
Phase 2 security association for the VPN connection is 1 hour or 100G (whichever comes first).

must have public facing IPv4 address
must support IKEv1
must support NAT-T
must support AES128 or 3DES (not sure where 3DES comes in as the config files don't show 3DES but rather AES)
must support SHA1
must support DH group 2
must fragment packets before encapsulating with the VPN headers

IKE Info from an ASA configuration file for an Azure VPN connection

! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use a different policy #.
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
 exit

IPSEC Info from an ASA configuration file for an Azure VPN connection
! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
!
! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
! mode security association.
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

Some other pieces

! ---------------------------------------------------------------------------------------------------------------------
! Tunnel configuration
!
! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key
! value used for Phase 1 authentication. 
tunnel-group <SP_AzureGatewayIpAddress> type ipsec-l2l
tunnel-group <SP_AzureGatewayIpAddress> ipsec-attributes
 pre-shared-key <SP_PresharedKey>
 exit

! ---------------------------------------------------------------------------------------------------------------------
! TCPMSS clamping
!
! Adjust the TCPMSS value properly to avoid fragmentation
sysopt connection tcpmss 1350

Goal is that hopefully someone can take some of this and figure out corresponding configurations for other VPN devices such as Checkpoint/Windows IPSEC possibly/DD-WRT?