Skip to content

Commit d881c97

Browse files
cherylmccherylmc
committed
Update vpn-gateway-faq-ipsecikepolicy-include.md
1 parent 210069f commit d881c97

File tree

1 file changed

+3
-32
lines changed

1 file changed

+3
-32
lines changed

includes/vpn-gateway-faq-ipsecikepolicy-include.md

Lines changed: 3 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -25,44 +25,15 @@ The following table lists the supported cryptographic algorithms and key strengt
2525

2626
[!INCLUDE [Important requirements table](vpn-gateway-ipsec-ike-requirements-include.md)]
2727

28-
### Does everything need to match between the Azure VPN gateway policy and my on-premises VPN device configurations?
29-
30-
Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy:
31-
32-
* IKE encryption algorithm
33-
* IKE integrity algorithm
34-
* DH Group
35-
* IPsec encryption algorithm
36-
* IPsec integrity algorithm
37-
* PFS Group
38-
* Traffic Selector (*)
39-
40-
The SA lifetimes are local specifications only. They don't need to match.
41-
42-
If you enable **UsePolicyBasedTrafficSelectors**, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:
43-
44-
* 10.1.0.0/16 <====> 192.168.0.0/16
45-
* 10.1.0.0/16 <====> 172.16.0.0/16
46-
* 10.2.0.0/16 <====> 192.168.0.0/16
47-
* 10.2.0.0/16 <====> 172.16.0.0/16
48-
4928
For more information, see [Connect multiple on-premises policy-based VPN devices](../articles/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps.md).
5029

5130
### <a name ="DH"></a>Which Diffie-Hellman Groups are supported?
5231

53-
The table below lists the supported Diffie-Hellman Groups for IKE (DHGroup) and IPsec (PFSGroup):
32+
The following table lists the corresponding Diffie-Hellman groups supported by the custom policy:
5433

55-
| **Diffie-Hellman Group** | **DHGroup** | **PFSGroup** | **Key length** |
56-
| --- | --- | --- | --- |
57-
| 1 | DHGroup1 | PFS1 | 768-bit MODP |
58-
| 2 | DHGroup2 | PFS2 | 1024-bit MODP |
59-
| 14 | DHGroup14<br>DHGroup2048 | PFS2048 | 2048-bit MODP |
60-
| 19 | ECP256 | ECP256 | 256-bit ECP |
61-
| 20 | ECP384 | ECP384 | 384-bit ECP |
62-
| 24 | DHGroup24 | PFS24 | 2048-bit MODP |
63-
| | | | |
34+
[!INCLUDE [Diffie-Hellman groups](vpn-gateway-ipsec-ike-diffie-hellman-include.md)]
6435

65-
For more information, see [RFC3526](https://tools.ietf.org/html/rfc3526) and [RFC5114](https://tools.ietf.org/html/rfc5114).
36+
Refer to [RFC3526](https://tools.ietf.org/html/rfc3526) and [RFC5114](https://tools.ietf.org/html/rfc5114) for more details.
6637

6738
### Does the custom policy replace the default IPsec/IKE policy sets for Azure VPN gateways?
6839

0 commit comments

Comments
 (0)