SALES: 1-800-867-1380

About VPN Devices and Gateways for Virtual Network Connectivity

Updated: July 13, 2015

A secure site-to-site VPN connection can be used to create a branch office solution or whenever you want a secure connection between your on-premises network and your virtual network. Site-to-site connections require a public-facing IPv4 IP address and a compatible VPN device or RRAS running on Windows Server 2012. To create the VPN connection that best fits your needs, you’ll want to consider the following factors:

For the latest information about Gateways, see About VPN Gateways and Configure a VPN Gateway.

We have validated a set of standard site-to-site (S2S) VPN devices in partnership with device vendors. For a list of the VPN devices that are known to be compatible with Virtual Network see Known compatible VPN devices, below. All devices in the device families contained in this list should work with Virtual Network. To help configure your VPN device, refer to the device configuration sample that corresponds to appropriate device family.

If you don’t see your device in the known compatible VPN device list and want to use the device for your VPN connection, you’ll need to verify that it meets the minimum requirements outlined in the Gateway Requirements table. Devices meeting the minimum requirements should also work well with Virtual Network. Please contact your device manufacturer for additional support and configuration instructions.

We have worked with VPN device vendors to jointly qualify specific VPN device families. The section below provides a list of all device families known to work with our virtual network gateway. All devices that are members of the listed device families are known to work unless exceptions are mentioned. For VPN device support, please contact your device manufacturer.

 

Vendor Device family Minimum OS version Static Routing configuration example Dynamic Routing configuration example

Allied Telesis

AR Series VPN Routers

2.9.2

Coming soon

Not compatible

Barracuda Networks, Inc.

Barracuda NG Firewall

Barracuda Firewall

Barracuda NG Firewall 5.4.3

Barracuda Firewall 6.5

Barracuda NG Firewall

Barracuda Firewall

Not compatible

Brocade

Vyatta 5400 vRouter

Virtual Router 6.6R3 GA

Configuration instructions

Not compatible

Check Point

Security Gateway

R75.40

R75.40VS

Configuration instructions

Configuration instructions

Cisco

ASA

8.3

Cisco ASA samples

Not compatible

Cisco

ASR

IOS 15.1 (static)

IOS 15.2 (dynamic)

Cisco ASR samples

Cisco ASR samples

Cisco

ISR

IOS 15.0 (static)

IOS 15.1 (dynamic)

Cisco ISR samples

Cisco ISR samples

Citrix

CloudBridge MPX appliance or VPX virtual appliance

N/A

Integration instructions

Not compatible

Dell SonicWALL

TZ Series

NSA Series

SuperMassive Series

E-Class NSA Series

SonicOS 5.8.x, SonicOS 5.9.x, SonicOS 6.x

Configuration instructions

Not compatible

F5

BIG-IP series

N/A

Configuration instructions

Not compatible

Fortinet

FortiGate

FortiOS 5.0.7

Configuration instructions

Configuration instructions

Internet Initiative Japan (IIJ)

SEIL Series

SEIL/X   4.60

SEIL/B1  4.60

SEIL/x86 3.20

Configuration instructions

Not compatible

Juniper

SRX

JunOS 10.2 (static)

JunOS 11.4 (dynamic)

Juniper SRX samples

Juniper SRX samples

Juniper

J-Series

JunOS 10.4r9 (static)

JunOS 11.4 (dynamic)

Juniper J-series samples

Juniper J-series samples

Juniper

ISG

ScreenOS 6.3 (static and dynamic)

Juniper ISG samples

Juniper ISG samples

Juniper

SSG

ScreenOS 6.2 (static and dynamic)

Juniper SSG samples

Juniper SSG samples

Microsoft

Routing and Remote Access Service

Windows Server 2012

Not compatible

Routing and Remote Access Service (RRAS) sample

Openswan

Openswan

2.6.32

(Coming soon)

Not compatible

Palo Alto Networks

All devices running PAN-OS 5.0 or greater

PAN-OS 5x or greater

Palo Alto Networks

Not compatible

Watchguard

All

Fireware XTM v11.x

Configuration instructions

Not compatible

After you download the provided VPN device configuration sample, you’ll need to replace some of the values to reflect the settings for your environment. If you downloaded your VPN device sample from the Management Portal, you’ll notice that some strings are pre-populated with values that pertain to your virtual network. However, you must still update the sample to reflect the additional values that are specific to your environment.

Open the sample using Notepad. Search and replace all <text> strings with the values that pertain to your environment. Be sure to include < and >. When a name is specified, the name you select should be unique. If a command does not work, please consult your device manufacturer documentation.

 

Sample text Change to

<RP_OnPremisesNetwork>

Your chosen name for this object. Example: myOnPremisesNetwork

<RP_AzureNetwork>

Your chosen name for this object. Example: myAzureNetwork

<RP_AccessList>

Your chosen name for this object. Example: myAzureAccessList

<RP_IPSecTransformSet>

Your chosen name for this object. Example: myIPSecTransformSet

<RP_IPSecCryptoMap>

Your chosen name for this object. Example: myIPSecCryptoMap

<SP_AzureNetworkIpRange>

Specify range. Example: 192.168.0.0

<SP_AzureNetworkSubnetMask>

Specify subnet mask. Example: 255.255.0.0

<SP_OnPremisesNetworkIpRange>

Specify on-premises range. Example: 10.2.1.0

<SP_OnPremisesNetworkSubnetMask>

Specify on-premises subnet mask. Example: 255.255.255.0

<SP_AzureGatewayIpAddress>

This information specific to your virtual network and is located in the Management Portal as Gateway IP address.

<SP_PresharedKey>

This information is specific to your virtual network and is located in the Management Portal as Manage Key.

IKE Phase 1 setup

Property Static Routing VPN gateway Dynamic Routing VPN gateway and High Performance VPN gateway

IKE Version

IKEv1

IKEv2

Diffie-Hellman Group

Group 2 (1024 bit)

Group 2 (1024 bit)

Authentication Method

Pre-Shared Key

Pre-Shared Key

Encryption Algorithms

AES256

AES128

3DES

AES256

3DES

Hashing Algorithm

SHA1(SHA128)

SHA1(SHA128)

Phase 1 Security Association (SA) Lifetime (Time)

28,800 seconds

28,800 seconds

IKE Phase 2 setup

Property Static Routing VPN gateway Dynamic Routing VPN gateway and High Performance VPN gateway

IKE Version

IKEv1

IKEv2

Hashing Algorithm

SHA1(SHA128)

SHA1(SHA128)

Phase 2 Security Association (SA) Lifetime (Time)

3,600 seconds

-

Phase 2 Security Association (SA) Lifetime (Throughput)

102,400,000 KB

-

IPsec SA Encryption & Authentication Offers (in the order of preference)

  1. ESP-AES256

  2. ESP-AES128

  3. ESP-3DES

  4. N/A

See Dynamic Routing Gateway IPsec Security Association (SA) Offers

Perfect Forward Secrecy (PFS)

No

Yes (DH Group1)

Dead Peer Detection

Not supported

Supported

The table below lists IPsec SA Encryption and Authentication Offers. Offers are listed the order of preference that the offer is presented or accepted.

 

IPsec SA Encryption and Authentication Offers Azure Gateway as initiator Azure Gateway as responder

1

ESP AES_256 SHA

ESP AES_128 SHA

2

ESP AES_128 SHA

ESP 3_DES MD5

3

ESP 3_DES MD5

ESP 3_DES SHA

4

ESP 3_DES SHA

AH SHA1 with ESP AES_128 with null HMAC

5

AH SHA1 with ESP AES_256 with null HMAC

AH SHA1 with ESP 3_DES with null HMAC

6

AH SHA1 with ESP AES_128 with null HMAC

AH MD5  with ESP 3_DES with null HMAC, no lifetimes proposed

7

AH SHA1 with ESP 3_DES with null HMAC

AH SHA1 with ESP 3_DES SHA1, no lifetimes

8

AH MD5  with ESP 3_DES with null HMAC, no lifetimes proposed

AH MD5  with ESP 3_DES MD5, no lifetimes

9

AH SHA1 with ESP 3_DES SHA1, no lifetimes

ESP DES MD5

10

AH MD5  with ESP 3_DES MD5, no lifetimes

ESP DES SHA1, no lifetimes

11

ESP DES MD5

AH SHA1 with ESP DES null HMAC, no lifetimes proposed

12

ESP DES SHA1, no lifetimes

AH MD5  with ESP DES null HMAC, no lifetimes proposed

13

AH SHA1 with ESP DES null HMAC, no lifetimes proposed

AH SHA1 with ESP DES SHA1, no lifetimes

14

AH MD5  with ESP DES null HMAC, no lifetimes proposed

AH MD5  with ESP DES MD5, no lifetimes

15

AH SHA1 with ESP DES SHA1, no lifetimes

ESP SHA, no lifetimes

16

AH MD5  with ESP DES MD5, no lifetimes

ESP MD5, no lifetimes

17

-

AH SHA, no lifetimes

18

-

AH MD5, no lifetimes

Note that you can specify IPsec ESP NULL encryption with Dynamic Routing and High Performance VPN gateway, intended for VNet-to-VNet connections within Azure networks. For cross-premises connectivity through the Internet, please use the default Azure VPN gateway settings with encryption and hashing algorithms listed in the tables above, to ensure security of your critical communication.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft