SalesBuy
1-855-856-7678
Technical SupportSupport
About VPN Devices for Virtual Network
Updated: May 13, 2013
You can link your Windows Azure Virtual Network to an on-premises network via a site-to-site VPN connection. If you want to create a site-to-site connection, you’ll need to either obtain and configure a VPN device, or use Routing and Remote Access Service (RRAS) on Windows Server 2012. VPN device requirements vary depending on the type of connection that you want to create.
In order to start a VPN connection, the IP address information from the VPN device is entered in the Management Portal. A pre-shared key is then created, exported, and used to configure the VPN gateway device to complete the connection.
For more information about how to establish a site-to-site VPN connection, see Configure a Virtual Network Gateway in the Management Portal. For more information about using Routing and Remote Access, see Deploy Remote Access in the Cloud and Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect.
Static and dynamic routing configurations
You can create site-to-site VPNs that are either static, or dynamic. We recommend that you deploy dynamically routed VPN configurations whenever possible.
 Important |
|---|
| You cannot switch routing configurations (static to dynamic or dynamic to static) without deleting and then re-creating the gateway. |
Static routing VPNs
Static routing VPNs are also referred to as policy-based VPNs. Policy-based VPNs encrypt and route packets through an interface based on a customer-defined policy. The policy is usually defined as an access list.
Dynamic routing VPNs
Dynamic routing VPNs are also referred to as route-based VPNs. Route-based VPNs depend on a tunnel interface specifically created for forwarding packets. Any packet arriving on the tunnel interface will be forwarded through the VPN connection.
Gateway requirements
The table below lists the requirements for both static and dynamic VPN gateways.
| Property | Static routing VPN gateway | Dynamic routing VPN gateway |
|---|---|---|
|
Site-to-site connectivity |
Policy-based VPN configuration |
Route-based VPN configuration |
|
Computer-to-site connectivity |
Not supported |
Supported (coexists with S2S connectivity) |
|
Authentication method |
Pre-shared key |
Pre-shared key for site-to-site connectivity Certificates for point-to-site connectivity |
|
Maximum Number of Site-to-site connections |
1 |
1 |
|
Maximum Number of Computer-to-site connections |
Not supported |
250 |
|
Key exchange |
IKE v1 |
IKE v2 |
|
Encapsulation |
ESP |
ESP for site-to-site SSTP for computer-to-site |
|
Diffie-Hellman Group |
Group 2 |
Group 2 |
|
Encryption Algorithms |
3DES AES128 AES256 |
3DES AES256 |
|
Hashing Algorithm |
SHA1(SHA128) SHA2 (SHA 256) |
SHA1(SHA128) SHA2 (SHA 256) (SHA 384) |
|
Phase 1 Security Association (SA) Lifetime (Time) |
28800 seconds |
28800 seconds |
|
Phase 2 Security Association (SA) Lifetime (Time) |
3600 seconds |
3600 seconds |
|
Phase 2 Security Association (SA) Lifetime (Throughput) |
102400000 KB |
102400000 KB |
|
Active Routing Support (BGP) |
Not supported |
Not supported |
|
Dead Peer Detection |
Not supported |
Supported |
VPN device requirements
We have validated a set of standard S2S VPN devices in partnership with device vendors. For a list of known compatible VPN devices and their corresponding configuration templates, see Known compatible VPN devices, below. All devices in the device families listed as known compatible should work with Virtual Network. To help configure your VPN device, refer to the device configuration template that corresponds to appropriate device family.
If you don’t see your device listed as a known compatible VPN device and want to use the device for your VPN connection, you’ll need to verify that it meets the minimum requirements outlined in the Gateway requirements table. Devices meeting the minimum requirements should also work well with Virtual Network. Please contact your device manufacturer for additional support and configuration instructions.
 Note |
|---|
| All VPN devices, regardless of the routing type you plan to do, must have a public facing IPv4 address. |
Known compatible VPN devices
We have worked with VPN device vendors to jointly qualify specific VPN device families. The section below provides a list of all device families known to work with our virtual network gateway. All devices that are members of the listed device families are known to work unless exceptions are mentioned.
| Vendor | Device family | Minimum OS version | Configuration template for static-routing (policy-based) | Configuration template for dynamic-routing (route-based) |
|---|---|---|---|---|
|
Cisco |
ASA |
8.3 |
Not supported |
|
|
Cisco |
ASR |
IOS 15.1 (static) IOS 15.2 (dynamic) |
||
|
Cisco |
ISR |
IOS 15.0 (static) IOS 15.1 (dynamic) |
||
|
Juniper |
SRX |
JunOS 10.2 (static) JunOS 11.4 (dynamic) |
||
|
Juniper |
J-Series |
JunOS 10.4r9 (static) JunOS 11.4 (dynamic) |
||
|
Juniper |
ISG |
ScreenOS 6.3 (static and dynamic) |
||
|
Juniper |
SSG |
ScreenOS 6.2 (static and dynamic) |
||
|
Microsoft |
Routing and Remote Access Service |
Windows Server 2012 |
Not supported |
See Also
Concepts
Windows Azure Virtual Network OverviewAbout Configuring a Virtual Network in the Management Portal
Configure a Point-to-Site VPN in the Management Portal
Change a Virtual Network Gateway Routing Type
Windows Azure Virtual Network Configuration Tasks
Other Resources
Windows Azure Virtual MachinesHow to Create a Custom Virtual Machine
