Редагувати

Поділитися через


Point-to-site IPsec policies

This article shows the supported IPsec policy combinations for Point-to-site VPN connectivity in Azure Virtual WAN.

Default IPsec policies

The following table shows the default IPsec parameters for Point-to-site VPN connections. These parameters are automatically chosen by the Virtual WAN Point-to-site VPN gateway when a Point-to-site profile is created.

Setting Parameters
Phase 1 IKE Encryption AES256
Phase 1 IKE Integrity SHA256
DH Group DHGroup24
Phase 2 IPsec Encryption GCMAES256
Phase 2 IPsec Integrity GCMAES256
PFS Group PFS24

Custom IPsec policies

When working with custom IPsec policies, keep in mind the following requirements:

  • IKE - For Phase 1 IKE, you can select any parameter from IKE Encryption, plus any parameter from IKE Integrity, plus any parameter from DH Group.
  • IPsec - For Phase 2 IPsec, you can select any parameter from IPsec Encryption, plus any parameter from IPsec Integrity, plus PFS. If any of the parameters for IPsec Encryption or IPsec Integrity is GCM, then both IPsec Encryption and Integrity must use the same algorithm. For example, if GCMAES128 is chosen for IPsec Encryption, GCMAES128 must also be chosen for IPsec Integrity.

The following table shows the available IPsec parameters for Point-to-site VPN connections.

Setting Parameters
Phase 1 IKE Encryption AES128, AES256, GCMAES128, GCMAES256
Phase 1 IKE Integrity SHA256, SHA384
DH Group DHGroup14, DHGroup24, ECP256, ECP384
Phase 2 IPsec Encryption GCMAES128, GCMAES256, SHA256
Phase 2 IPsec Integrity GCMAES128, GCMAES256
PFS Group PFS14, PFS24, ECP256, ECP384

Next steps

See How to create a point-to-site connection

For more information about Virtual WAN, see the Virtual WAN FAQ.