Exportera (0) Skriv ut
Visa allt
EN
Det här innehållet finns inte tillgängligt på ditt språk men här finns den engelska versionen,

About VPN Devices for Virtual Network

Updated: July 10, 2014

A secure site-to-site VPN connection can be used to create a branch office solution or whenever you want a secure connection between your on-premises network and your virtual network. Site-to-site connections require a public-facing IPv4 IP address and a compatible VPN device or RRAS running on Windows Server 2012. To create the site-to-site VPN connection that best fits your needs, you’ll want to consider the following factors:

When you create a site-to-site VPN, you’ll specify either a static, or dynamic gateway. Select the gateway type that is supported by your router and for the type of IPSec parameters and configuration that you require. The tables below show the supported configurations for both static and dynamic VPNs. If you plan to use a site-to-site configuration concurrently with a point-to-site configuration, you’ll need to configure a dynamic routing VPN gateway.

  • Static routing VPNs – Static routing VPNs are also referred to as policy-based VPNs. Policy-based VPNs encrypt and route packets through an interface based on a customer-defined policy. The policy is usually defined as an access list. Static routing VPNs require a static routing VPN gateway.
    Note - Multi-Site VPN, VNet to VNet, and Point-to-Site are not supported with static routing VPN gateways.

  • Dynamic routing VPNs – Dynamic routing VPNs are also referred to as route-based VPNs. Route-based VPNs depend on a tunnel interface specifically created for forwarding packets. Any packet arriving on the tunnel interface will be forwarded through the VPN connection. Dynamic routing VPNs require a dynamic routing VPN gateway.
    Note - A dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.

The table below lists the requirements for both static and dynamic VPN gateways.

 

Property Static Routing VPN gateway Dynamic Routing VPN gateway

Site-to-Site connectivity (S2S)

Policy-based VPN configuration

Route-based VPN configuration

Point-to-Site connectivity (P2S)

Not supported

Supported (Can coexist with site-to-site connectivity)

Authentication method

Pre-shared key

  • Pre-shared key for site-to-site connectivity

  • Certificates for point-to-site connectivity

Maximum Number of Site-to-Site (S2S) connections

1

10

Maximum Number of Point-to-Site (P2S) connections

Not supported

128

Active Routing Support (BGP)

Not supported

Not supported

We have validated a set of standard site-to-site (S2S) VPN devices in partnership with device vendors. For a list of the VPN devices that are known to be compatible with Virtual Network see Known compatible VPN devices, below. All devices in the device families contained in this list should work with Virtual Network. To help configure your VPN device, refer to the device configuration template that corresponds to appropriate device family.

If you don’t see your device in the known compatible VPN device list and want to use the device for your VPN connection, you’ll need to verify that it meets the minimum requirements outlined in the Gateway requirements table. Devices meeting the minimum requirements should also work well with Virtual Network. Please contact your device manufacturer for additional support and configuration instructions.

We have worked with VPN device vendors to jointly qualify specific VPN device families. The section below provides a list of all device families known to work with our virtual network gateway. All devices that are members of the listed device families are known to work unless exceptions are mentioned. For VPN device support, please contact your device manufacturer.

 

Vendor Device family Minimum OS version Static Routing configuration example Dynamic Routing configuration example

Allied Telesis

AR Series VPN Routers

2.9.2

Coming soon

Not compatible

Brocade

Vyatta 5400 vRouter

Virtual Router 6.6R3 GA

Configuration instructions

Not compatible

Check Point

Security Gateway

R75.40

R75.40VS

Configuration instructions

Configuration instructions

Cisco

ASA

8.3

Cisco ASA templates

Not compatible

Cisco

ASR

IOS 15.1 (static)

IOS 15.2 (dynamic)

Cisco ASR templates

Cisco ASR templates

Cisco

ISR

IOS 15.0 (static)

IOS 15.1 (dynamic)

Cisco ISR templates

Cisco ISR templates

Citrix

CloudBridge MPX appliance or VPX virtual appliance

N/A

Integration instructions

Not compatible

Dell SonicWALL

TZ Series

NSA Series

SuperMassive Series

E-Class NSA Series

SonicOS 5.8.x

SonicOS 5.9.x

SonicOS 6.x

Configuration instructions

Configuration instructions

F5

BIG-IP series

N/A

Configuration instructions

Not compatible

Fortinet

FortiGate

FortiOS 5.0.7

Configuration instructions

Configuration instructions

Juniper

SRX

JunOS 10.2 (static)

JunOS 11.4 (dynamic)

Juniper SRX templates

Juniper SRX templates

Juniper

J-Series

JunOS 10.4r9 (static)

JunOS 11.4 (dynamic)

Juniper J-series templates

Juniper J-series templates

Juniper

ISG

ScreenOS 6.3 (static and dynamic)

Juniper ISG templates

Juniper ISG templates

Juniper

SSG

ScreenOS 6.2 (static and dynamic)

Juniper SSG templates

Juniper SSG templates

Microsoft

Routing and Remote Access Service

Windows Server 2012

Not compatible

Routing and Remote Access Service (RRAS) templates

Openswan

Openswan

2.6.32

(Coming soon)

Not compatible

Watchguard

All

Fireware XTM v11.x

Configuration instructions

Not compatible

After you download the provided VPN device configuration template, you’ll need to replace some of the values to reflect the settings for your environment. If you downloaded your VPN device template from the Management Portal, you’ll notice that some strings are pre-populated with values that pertain to your virtual network. However, you must still update the template to reflect the additional values that are specific to your environment.

Open the template using Notepad. Search and replace all <text> strings with the values that pertain to your environment. Be sure to include < and >. When a name is specified, the name you select should be unique. If a command does not work, please consult your device manufacturer documentation.

 

Template text Change to

<RP_OnPremisesNetwork>

Your chosen name for this object. Example: myOnPremisesNetwork

<RP_AzureNetwork>

Your chosen name for this object. Example: myAzureNetwork

<RP_AccessList>

Your chosen name for this object. Example: myAzureAccessList

<RP_IPSecTransformSet>

Your chosen name for this object. Example: myIPSecTransformSet

<RP_IPSecCryptoMap>

Your chosen name for this object. Example: myIPSecCryptoMap

<SP_AzureNetworkIpRange>

Specify range. Example: 192.168.0.0

<SP_AzureNetworkSubnetMask>

Specify subnet mask. Example: 255.255.0.0

<SP_OnPremisesNetworkIpRange>

Specify on-premises range. Example: 10.2.1.0

<SP_OnPremisesNetworkSubnetMask>

Specify on-premises subnet mask. Example: 255.255.255.0

<SP_AzureGatewayIpAddress>

This information specific to your virtual network and is located in the Management Portal as Gateway IP address.

<SP_PresharedKey>

This information is specific to your virtual network and is located in the Management Portal as Manage Key.

IKE Phase 1 setup

Property Static Routing VPN gateway Dynamic Routing VPN gateway

IKE Version

IKEv1

IKEv2

Diffie-Hellman Group

Group 2 (1024 bit)

Group 2 (1024 bit)

Authentication Method

Pre-Shared Key

Pre-Shared Key

Encryption Algorithms

AES256

AES128

3DES

AES256

3DES

Hashing Algorithm

SHA1(SHA128)

SHA1(SHA128)

Phase 1 Security Association (SA) Lifetime (Time)

28,800 seconds

28,800 seconds

IKE Phase 2 setup

Property Static Routing VPN gateway Dynamic Routing VPN gateway

IKE Version

IKEv1

IKEv2

Hashing Algorithm

SHA1(SHA128)

SHA1(SHA128)

Phase 2 Security Association (SA) Lifetime (Time)

3,600 seconds

-

Phase 2 Security Association (SA) Lifetime (Throughput)

102,400,000 KB

-

IPsec SA Encryption & Authentication Offers (in the order of preference)

  1. ESP-AES256

  2. ESP-AES128

  3. ESP-3DES

  4. N/A

See Dynamic Routing Gateway IPsec Security Association (SA) Offers

Perfect Forward Secrecy (PFS)

No

No

Dead Peer Detection

Not supported

Supported

The table below lists IPsec SA Encryption and Authentication Offers. Offers are listed the order of preference that the offer is presented or accepted.

 

IPsec SA Encryption and Authentication Offers Azure Gateway as initiator Azure Gateway as responder

1

ESP AES_256 SHA

ESP AES_128 SHA

2

ESP AES_128 SHA

ESP 3_DES MD5

3

ESP 3_DES MD5

ESP 3_DES SHA

4

ESP 3_DES SHA

AH SHA1 with ESP AES_128 with null HMAC

5

AH SHA1 with ESP AES_256 with null HMAC

AH SHA1 with ESP 3_DES with null HMAC

6

AH SHA1 with ESP AES_128 with null HMAC

AH MD5  with ESP 3_DES with null HMAC, no lifetimes proposed

7

AH SHA1 with ESP 3_DES with null HMAC

AH SHA1 with ESP 3_DES SHA1, no lifetimes

8

AH MD5  with ESP 3_DES with null HMAC, no lifetimes proposed

AH MD5  with ESP 3_DES MD5, no lifetimes

9

AH SHA1 with ESP 3_DES SHA1, no lifetimes

ESP DES MD5

10

AH MD5  with ESP 3_DES MD5, no lifetimes

ESP DES SHA1, no lifetimes

11

ESP DES MD5

AH SHA1 with ESP DES null HMAC, no lifetimes proposed

12

ESP DES SHA1, no lifetimes

AH MD5  with ESP DES null HMAC, no lifetimes proposed

13

AH SHA1 with ESP DES null HMAC, no lifetimes proposed

AH SHA1 with ESP DES SHA1, no lifetimes

14

AH MD5  with ESP DES null HMAC, no lifetimes proposed

AH MD5  with ESP DES MD5, no lifetimes

15

AH SHA1 with ESP DES SHA1, no lifetimes

ESP SHA, no lifetimes

16

AH MD5  with ESP DES MD5, no lifetimes

ESP MD5, no lifetimes

17

-

AH SHA, no lifetimes

18

-

AH MD5, no lifetimes

See Also

Visa:
© 2014 Microsoft