edit pass: vpn-gateway-vpn-faq

Author: ShawnJackson

articles/vpn-gateway/vpn-gateway-vpn-faq.md

@@ -20,15 +20,15 @@ The following links provide more configuration information:
 
 - For links to device configuration settings, see [Validated VPN devices](../articles/vpn-gateway/vpn-gateway-about-vpn-devices.md#devicetable). We provide the device configuration links on a best-effort basis, but it's always best to check with your device manufacturer for the latest configuration information.
 
-  The list shows the versions that we tested. If your OS isn't on the list, it's still possible that the version is compatible. Check with your device manufacturer to verify that the OS version for your VPN device is compatible.
+  The list shows the versions that we tested. If the OS version for your VPN device isn't on the list, it still might be compatible. Check with your device manufacturer.
 
 - For basic information about VPN device configuration, see [Overview of partner VPN device configurations](../articles/vpn-gateway/vpn-gateway-3rdparty-device-config-overview.md).
 
 - For information about editing device configuration samples, see [Editing samples](../articles/vpn-gateway/vpn-gateway-about-vpn-devices.md#editing).
 
 - For cryptographic requirements, see [About cryptographic requirements and Azure VPN gateways](../articles/vpn-gateway/vpn-gateway-about-compliance-crypto.md).
 
-- For information about parameter information that you need to complete your configuration, see [Default IPsec/IKE parameters](../articles/vpn-gateway/vpn-gateway-about-vpn-devices.md#ipsec). The information includes IKE version, Diffie-Hellman (DH) group, authentication method, encryption and hashing algorithms, security association (SA) lifetime, Perfect Forward Secrecy (PFS), and Dead Peer Detection (DPD).
+- For information about parameters that you need to complete your configuration, see [Default IPsec/IKE parameters](../articles/vpn-gateway/vpn-gateway-about-vpn-devices.md#ipsec). The information includes IKE version, Diffie-Hellman (DH) group, authentication method, encryption and hashing algorithms, security association (SA) lifetime, perfect forward secrecy (PFS), and Dead Peer Detection (DPD).
 
 - For IPsec/IKE policy configuration steps, see [Configure custom IPsec/IKE connection policies for S2S VPN and VNet-to-VNet](../articles/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell.md).
 

includes/vpn-gateway-configure-vpn-device-rm-include.md

@@ -46,7 +46,7 @@ Yes.
 
 ### Which gateway SKUs can I configure to use customer-controlled maintenance?
 
-All gateway SKUs (except the Basic SKU for VPN Gateway) can be configured to use customer-controlled maintenance.
+All the Azure VPN Gateway SKUs (except the Basic SKU) can be configured to use customer-controlled maintenance.
 
 ### How long does it take for a maintenance configuration policy to become effective after it's assigned to the gateway resource?
 

includes/vpn-gateway-customer-controlled-gateway-maintenance-faq.md

@@ -6,7 +6,7 @@ ms.service: vpn-gateway
 ms.topic: include
 ---
 
-### Can I create a new gateway by using the Standard or High Performance SKU after the deprecation date of November 30, 2023?
+### Can I create a new gateway by using the Standard or High Performance SKU after the deprecation announcement on November 30, 2023?
 
 No. As of December 1, 2023, you can't create gateways by using the Standard or High Performance SKU. You can create gateways by using VpnGw1 and VpnGw2 for the same price as the Standard and High Performance SKUs, listed respectively on the [pricing page](https://azure.microsoft.com/pricing/details/vpn-gateway/).
 
@@ -32,7 +32,7 @@ You can't migrate gateways from a deprecated SKU to an AZ SKU. However, all gate
 * Standard to VpnGw1AZ
 * High Performance to VpnGw2AZ
 
-After your gateways are automatically migrated and upgraded to the AZ SKUs, you can then resize within that SKU family if necessary. For AZ SKU pricing, see the [pricing page](https://azure.microsoft.com/pricing/details/vpn-gateway/). For throughput information by SKU, see [About gateway SKUs](https://go.microsoft.com/fwlink/?linkid=2256302).
+After your gateways are automatically migrated and upgraded to the AZ SKUs, you can resize within that SKU family if necessary. For AZ SKU pricing, see the [pricing page](https://azure.microsoft.com/pricing/details/vpn-gateway/). For throughput information by SKU, see [About gateway SKUs](https://go.microsoft.com/fwlink/?linkid=2256302).
 
 ### Will there be any pricing difference for my gateways after migration?
 

includes/vpn-gateway-deprecate-sku-faq.md

@@ -84,7 +84,7 @@ Azure VPN Gateway supports up to 4,000 prefixes. The BGP session is dropped if t
 
 ### Can I advertise the default route (0.0.0.0/0) to VPN gateways?
 
-Yes. Keep in mind that advertising the default route forces all VNet egress traffic toward your on-premises site. It also prevents the virtual network VMs from accepting public communication from the internet directly, such as RDP or SSH from the internet to the VMs.
+Yes. Keep in mind that advertising the default route forces all VNet egress traffic toward your on-premises site. It also prevents the virtual network VMs from accepting public communication from the internet directly, such as Remote Desktop Protocol (RDP) or Secure Shell (SSH) from the internet to the VMs.
 
 ### Can I advertise the exact prefixes as my virtual network prefixes?
 
@@ -102,13 +102,13 @@ Yes, you can mix both BGP and non-BGP connections for the same Azure VPN gateway
 
 ### Does Azure VPN Gateway support BGP transit routing?
 
-Yes. BGP transit routing is supported, with the exception that Azure VPN gateways don't advertise default routes to other BGP peers. To enable transit routing across multiple VPN gateways, you must enable BGP on all intermediate connections between virtual networks. For more information, see [About BGP and VPN Gateway](../articles/vpn-gateway/vpn-gateway-bgp-overview.md).
+Yes. BGP transit routing is supported, with the exception that VPN gateways don't advertise default routes to other BGP peers. To enable transit routing across multiple VPN gateways, you must enable BGP on all intermediate connections between virtual networks. For more information, see [About BGP and VPN Gateway](../articles/vpn-gateway/vpn-gateway-bgp-overview.md).
 
 ### Can I have more than one tunnel between a VPN gateway and my on-premises network?
 
 Yes, you can establish more than one site-to-site VPN tunnel between a VPN gateway and your on-premises network. All these tunnels are counted against the total number of tunnels for your Azure VPN gateways, and you must enable BGP on both tunnels.
 
-For example, if you have two redundant tunnels between your Azure VPN gateway and one of your on-premises networks, they consume two tunnels out of the total quota for your VPN gateway.
+For example, if you have two redundant tunnels between your VPN gateway and one of your on-premises networks, they consume two tunnels out of the total quota for your VPN gateway.
 
 ### Can I have multiple tunnels between two Azure virtual networks with BGP?
 
@@ -126,12 +126,12 @@ For example, if the Azure VPN peer IP is 10.12.255.30, you add a host route for
 
 ### Does the virtual network gateway support BFD for S2S connections with BGP?
 
-No. Bidirectional Forwarding Detection (BFD) is a protocol that you can use with BGP to detect neighbor downtime more quickly than you can by using standard BGP *keepalive* intervals. BFD uses subsecond timers designed to work in LAN environments, but not across the public internet or WAN connections.
+No. Bidirectional Forwarding Detection (BFD) is a protocol that you can use with BGP to detect neighbor downtime more quickly than you can by using standard BGP keepalive intervals. BFD uses subsecond timers designed to work in LAN environments, but not across the public internet or WAN connections.
 
 For connections over the public internet, having certain packets delayed or even dropped isn't unusual, so introducing these aggressive timers can add instability. This instability might cause BGP to dampen routes.
 
 As an alternative, you can configure your on-premises device with timers lower than the default 60-second keepalive interval or lower than the 180-second hold timer. This configuration results in a quicker convergence time. However, timers below the default 60-second keepalive interval or below the default 180-second hold timer aren't reliable. We recommend that you keep timers at or above the default values.
 
 ### Do VPN gateways initiate BGP peering sessions or connections?
 
-VPN gateways initiate BGP peering sessions to the on-premises BGP peer IP addresses specified in the local network gateway resources by using the private IP addresses on the VPN gateways. This process is irrespective of whether the on-premises BGP IP addresses are in the APIPA range or are regular private IP addresses. If your on-premises VPN devices use APIPA addresses as BGP IP, you need to configure your BGP speaker to initiate the connections.
+VPN gateways initiate BGP peering sessions to the on-premises BGP peer IP addresses specified in the local network gateway resources by using the private IP addresses on the VPN gateways. This process is irrespective of whether the on-premises BGP IP addresses are in the APIPA range or are regular private IP addresses. If your on-premises VPN devices use APIPA addresses as the BGP IP, you need to configure your BGP speaker to initiate the connections.

includes/vpn-gateway-faq-bgp-include.md

@@ -5,9 +5,9 @@
  ms.date: 10/18/2023
  ms.author: cherylmc
 ---
-### Is a custom IPsec or IKE policy supported on all Azure VPN Gateway SKUs?
+### Is a custom IPsec/IKE policy supported on all Azure VPN Gateway SKUs?
 
-A custom IPsec or IKE policy is supported on all Azure VPN Gateway SKUs except the Basic SKU.
+A custom IPsec/IKE policy is supported on all Azure VPN Gateway SKUs except the Basic SKU.
 
 ### How many policies can I specify on a connection?
 
@@ -35,23 +35,23 @@ The following table lists the corresponding Diffie-Hellman groups that the custo
 
 For more information, refer to [RFC3526](https://tools.ietf.org/html/rfc3526) and [RFC5114](https://tools.ietf.org/html/rfc5114).
 
-### Does the custom policy replace the default IPsec or IKE policy sets for VPN gateways?
+### Does the custom policy replace the default IPsec/IKE policy sets for VPN gateways?
 
 Yes. After you specify a custom policy on a connection, Azure VPN Gateway uses only that policy on the connection, both as IKE initiator and IKE responder.
 
-### If I remove a custom IPsec or IKE policy, does the connection become unprotected?
+### If I remove a custom IPsec/IKE policy, does the connection become unprotected?
 
-No, IPsec or IKE still helps protect the connection. After you remove the custom policy from a connection, the VPN gateway reverts to the [default list of IPsec or IKE proposals](../articles/vpn-gateway/vpn-gateway-about-vpn-devices.md#RouteBasedOffers) and restarts the IKE handshake with your on-premises VPN device.
+No, IPsec/IKE still helps protect the connection. After you remove the custom policy from a connection, the VPN gateway reverts to the [default list of IPsec/IKE proposals](../articles/vpn-gateway/vpn-gateway-about-vpn-devices.md#RouteBasedOffers) and restarts the IKE handshake with your on-premises VPN device.
 
-### Would adding or updating an IPsec or IKE policy disrupt my VPN connection?
+### Would adding or updating an IPsec/IKE policy disrupt my VPN connection?
 
 Yes. It could cause a small disruption (a few seconds) as the VPN gateway tears down the existing connection and restarts the IKE handshake to reestablish the IPsec tunnel with the new cryptographic algorithms and parameters. Ensure that your on-premises VPN device is also configured with the matching algorithms and key strengths to minimize the disruption.
 
 ### Can I use different policies on different connections?
 
-Yes. A custom policy is applied on a per-connection basis. You can create and apply different IPsec or IKE policies on different connections.
+Yes. A custom policy is applied on a per-connection basis. You can create and apply different IPsec/IKE policies on different connections.
 
-You can also choose to apply custom policies on a subset of connections. The remaining ones use the Azure default IPsec or IKE policy sets.
+You can also choose to apply custom policies on a subset of connections. The remaining ones use the Azure default IPsec/IKE policy sets.
 
 ### Can I use a custom policy on VNet-to-VNet connections?
 
@@ -68,9 +68,9 @@ The default DPD timeout is 45 seconds on VPN gateways. You can specify a differe
 > [!NOTE]
 > Setting the timeout to shorter periods causes IKE to rekey more aggressively. The connection can then appear to be disconnected in some instances. This situation might not be desirable if your on-premises locations are farther away from the Azure region where the VPN gateway resides, or if the physical link condition could incur packet loss. We generally recommend that you set the timeout to *between 30 and 45* seconds.
 
-### Does a custom IPsec or IKE policy work on ExpressRoute connections?
+### Does a custom IPsec/IKE policy work on ExpressRoute connections?
 
-No. An IPsec or IKE policy works only on S2S VPN and VNet-to-VNet connections via the VPN gateways.
+No. An IPsec/IKE policy works only on S2S VPN and VNet-to-VNet connections via the VPN gateways.
 
 ### How do I create connections with the IKEv1 or IKEv2 protocol type?
 
@@ -82,7 +82,7 @@ For information about SKU types and support for IKEv1 and IKEv2, see [Connect a
 
 ### Is transit between IKEv1 and IKEv2 connections allowed?
 
-Yes. Transit between IKEv1 and IKEv2 connections is supported.
+Yes.
 
 ### Can I have IKEv1 site-to-site connections on the Basic SKU for the route-based VPN type?
 

includes/vpn-gateway-faq-ipsecikepolicy-include.md

@@ -49,13 +49,13 @@ No. A single source network address translation (SNAT) rule defines the translat
 
 * An **IngressSNAT** rule defines the translation of the source IP addresses coming into the  VPN gateway from the on-premises network. It also handles the translation of the destination IP addresses leaving from the virtual network to the same on-premises network.
 
-* An **EgressSNAT** rule defines the translation of the VNet source IP addresses leaving the VPN gateway to on-premises networks. It also handles the translation of the destination IP addresses for packets coming into the virtual network via those connections with the **EgressSNAT** rule.
+* An **EgressSNAT** rule defines the translation of the VNet source IP addresses leaving the VPN gateway to on-premises networks. It also handles the translation of the destination IP addresses for packets coming into the virtual network via the connections that have the **EgressSNAT** rule.
 
 In either case, you don't need destination network address translation (DNAT) rules.
 
 ### What do I do if my VNet or local network gateway address space has two or more prefixes? Can I apply NAT to all of them or just a subset?
 
-You need to create one NAT rule for each prefix, because each NAT rule can include only one address prefix for NAT. For example, if the local network gateway address space consists of 10.0.1.0/24 and 10.0.2.0/25, you can create two rules:
+You need to create one NAT rule for each prefix, because each NAT rule can include only one address prefix for NAT. For example, if the address space for the local network gateway consists of 10.0.1.0/24 and 10.0.2.0/25, you can create two rules:
 
 * **IngressSNAT** rule 1: Map 10.0.1.0/24 to 100.0.1.0/24.
 * **IngressSNAT** rule 2: Map 10.0.2.0/25 to 100.0.2.0/25.

includes/vpn-gateway-faq-nat-include.md

@@ -34,7 +34,7 @@ Azure supports three types of point-to-site VPN options:
 
 * **OpenVPN**: A SSL-based solution that can penetrate firewalls because most firewalls open the outbound TCP port that 443 SSL uses.
 
-* **IKEv2 VPN**: A standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol number 50. Firewalls don't always open these ports, so there's a possibility that IKEv2 VPN can't traverse proxies and firewalls.
+* **IKEv2 VPN**: A standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500, along with IP protocol number 50. Firewalls don't always open these ports, so there's a possibility that IKEv2 VPN can't traverse proxies and firewalls.
 
 ### If I restart a client computer that I configured for point-to-site, will the VPN automatically reconnect?
 
@@ -58,7 +58,7 @@ Yes. Point-to-site client connections to a virtual network gateway deployed in a
 
 ### How much throughput can I expect through site-to-site or point-to-site connections?
 
-It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols. Throughput is also limited by the latency and bandwidth between your premises and the internet.
+It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols. The latency and bandwidth between your premises and the internet can also limit throughput.
 
 For a VPN gateway with only IKEv2 point-to-site VPN connections, the total throughput that you can expect depends on the gateway SKU. For more information on throughput, see [Gateway SKUs](../articles/vpn-gateway/vpn-gateway-about-vpngateways.md#gwsku).
 
@@ -110,7 +110,7 @@ The traffic selector limit for OpenVPN is 1,000 routes.
 
 When you configure both SSTP and IKEv2 in a mixed environment that consists of Windows and Mac devices, the Windows VPN client always tries the IKEv2 tunnel first. The client falls back to SSTP if the IKEv2 connection isn't successful. MacOS connects only via IKEv2.
 
-When you have both SSTP and IKEv2 enabled on the gateway, the point-to-site address pool is statically split between the two, so clients that use different protocols are IP addresses from either subrange. The maximum number of SSTP clients is always 128, even if the address range is larger than /24. The result is a larger number of addresses available for IKEv2 clients. For smaller ranges, the pool is equally halved. Traffic selectors that the gateway uses might not include the point-to-site address range CIDR but include the two subrange CIDRs.
+When you have both SSTP and IKEv2 enabled on the gateway, the point-to-site address pool is statically split between the two, so clients that use different protocols are IP addresses from either subrange. The maximum number of SSTP clients is always 128, even if the address range is larger than /24. The result is a larger number of addresses available for IKEv2 clients. For smaller ranges, the pool is equally halved. Traffic selectors that the gateway uses might not include the Classless Inter-Domain Routing (CIDR) block for the point-to-site address range but include the CIDR block for the two subranges.
 
 ### Which platforms does Azure support for P2S VPN?
 
@@ -122,18 +122,14 @@ Yes. If the gateway SKU that you're using supports RADIUS or IKEv2, you can enab
 
 ### <a name="removeconfig"></a>How do I remove the configuration of a P2S connection?
 
-You can remove a P2S configuration by using the following Azure PowerShell or Azure CLI commands.
-
-#### Azure PowerShell
+You can remove a P2S configuration by using the following Azure PowerShell or Azure CLI commands:
 
 ```azurepowershell-interactive
 $gw=Get-AzVirtualNetworkGateway -name <gateway-name>`  
 $gw.VPNClientConfiguration = $null`  
 Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`
 ```
 
-#### Azure CLI
-
 ```azurecli-interactive
 az network vnet-gateway update --name <gateway-name> --resource-group <resource-group name> --remove "vpnClientConfiguration"
 ```