Merge pull request #225625 from cherylmc/ipsecfaq

updates

Author: American-Dipper

articles/vpn-gateway/vpn-gateway-vpn-faq.md

@@ -6,7 +6,7 @@ author: cherylmc
 
 ms.service: vpn-gateway
 ms.topic: conceptual
-ms.date: 01/10/2023
+ms.date: 01/30/2023
 ms.author: cherylmc
 ---
 

includes/vpn-gateway-faq-ipsecikepolicy-include.md

@@ -2,7 +2,7 @@
  title: include file
  author: cherylmc
  ms.service: vpn-gateway
- ms.date: 05/25/2022
+ ms.date: 01/30/2023
  ms.author: cherylmc
 ---
 ### Is Custom IPsec/IKE policy supported on all Azure VPN Gateway SKUs?
@@ -19,72 +19,29 @@ No, you must specify all algorithms and parameters for both IKE (Main Mode) and
 
 ### What are the algorithms and key strengths supported in the custom policy?
 
-The following table lists the supported cryptographic algorithms and key strengths configurable by the customers. You must select one option for every field.
-
-| **IPsec/IKEv2**  | **Options**                                                                   |
-| ---              | ---                                                                           |
-| IKEv2 Encryption | GCMAES256, GCMAES128, AES256, AES192, AES128, DES3, DES                                             |
-| IKEv2 Integrity  | GCMAES256, GCMAES128, SHA384, SHA256, SHA1, MD5                                                     |
-| DH Group         | DHGroup24, ECP384, ECP256, DHGroup14 (DHGroup2048), DHGroup2, DHGroup1, None  |
-| IPsec Encryption | GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None      |
-| IPsec Integrity  | GCMAES256, GCMAES192, GCMAES128, SHA256, SHA1, MD5                            |
-| PFS Group        | PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None                              |
-| QM SA Lifetime   | Seconds (integer; **min. 300**/default 27000 seconds)<br>KBytes (integer; **min. 1024**/default 102400000 KBytes)           |
-| Traffic Selector | UsePolicyBasedTrafficSelectors ($True/$False; default $False)                 |
-|                  |                                                                               |
-
-> [!IMPORTANT]
-> * DHGroup2048 & PFS2048 are the same as Diffie-Hellman Group **14** in IKE and IPsec PFS. See [Diffie-Hellman Groups](#DH) for the complete mappings.
-> * For GCMAES algorithms, you must specify the same GCMAES algorithm and key length for both IPsec Encryption and Integrity.
-> * IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways.
-> * QM SA Lifetimes are optional parameters. If none was specified, default values of 27,000 seconds (7.5 hrs) and 102400000 KBytes (102GB) are used.
-> * UsePolicyBasedTrafficSelector is an option parameter on the connection. See the next FAQ item for "UsePolicyBasedTrafficSelectors".
-
-### Does everything need to match between the Azure VPN gateway policy and my on-premises VPN device configurations?
-
-Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy:
-
-* IKE encryption algorithm
-* IKE integrity algorithm
-* DH Group
-* IPsec encryption algorithm
-* IPsec integrity algorithm
-* PFS Group
-* Traffic Selector (*)
-
-The SA lifetimes are local specifications only, don't need to match.
-
-If you enable **UsePolicyBasedTrafficSelectors**, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:
-* 10.1.0.0/16 <====> 192.168.0.0/16
-* 10.1.0.0/16 <====> 172.16.0.0/16
-* 10.2.0.0/16 <====> 192.168.0.0/16
-* 10.2.0.0/16 <====> 172.16.0.0/16
+The following table lists the supported cryptographic algorithms and key strengths that you can configure. You must select one option for every field.
+
+[!INCLUDE [Algorithm and keys table](vpn-gateway-ipsec-ike-algorithm-include.md)]
+
+[!INCLUDE [Important requirements table](vpn-gateway-ipsec-ike-requirements-include.md)]
 
 For more information, see [Connect multiple on-premises policy-based VPN devices](../articles/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps.md).
 
 ### <a name ="DH"></a>Which Diffie-Hellman Groups are supported?
 
-The table below lists the supported Diffie-Hellman Groups for IKE (DHGroup) and IPsec (PFSGroup):
+The following table lists the corresponding Diffie-Hellman groups supported by the custom policy:
 
-| **Diffie-Hellman Group**  | **DHGroup**              | **PFSGroup** | **Key length** |
-| ---                       | ---                      | ---          | ---            |
-| 1                         | DHGroup1                 | PFS1         | 768-bit MODP   |
-| 2                         | DHGroup2                 | PFS2         | 1024-bit MODP  |
-| 14                        | DHGroup14<br>DHGroup2048 | PFS2048      | 2048-bit MODP  |
-| 19                        | ECP256                   | ECP256       | 256-bit ECP    |
-| 20                        | ECP384                   | ECP384       | 384-bit ECP    |
-| 24                        | DHGroup24                | PFS24        | 2048-bit MODP  |
-|                           |                          |              |                |
+[!INCLUDE [Diffie-Hellman groups](vpn-gateway-ipsec-ike-diffie-hellman-include.md)]
 
-For more information, see [RFC3526](https://tools.ietf.org/html/rfc3526) and [RFC5114](https://tools.ietf.org/html/rfc5114).
+Refer to [RFC3526](https://tools.ietf.org/html/rfc3526) and [RFC5114](https://tools.ietf.org/html/rfc5114) for more details.
 
 ### Does the custom policy replace the default IPsec/IKE policy sets for Azure VPN gateways?
 
 Yes, once a custom policy is specified on a connection, Azure VPN gateway will only use the policy on the connection, both as IKE initiator and IKE responder.
 
 ### If I remove a custom IPsec/IKE policy, does the connection become unprotected?
 
-No, the connection will still be protected by IPsec/IKE. Once you remove the custom policy from a connection, the Azure VPN gateway reverts back to the [default list of IPsec/IKE proposals](../articles/vpn-gateway/vpn-gateway-about-vpn-devices.md) and restart the IKE handshake again with your on-premises VPN device.
+No, the connection will still be protected by IPsec/IKE. Once you remove the custom policy from a connection, the Azure VPN gateway reverts back to the [default list of IPsec/IKE proposals](../articles/vpn-gateway/vpn-gateway-about-vpn-devices.md#RouteBasedOffers) and restart the IKE handshake again with your on-premises VPN device.
 
 ### Would adding or updating an IPsec/IKE policy disrupt my VPN connection?
 
@@ -104,7 +61,10 @@ Yes. A VNet-to-VNet tunnel consists of two connection resources in Azure, one fo
 
 ### What is the default DPD timeout value? Can I specify a different DPD timeout?
 
-The default DPD timeout is 45 seconds. You can specify a different DPD timeout value on each IPsec or VNet-to-VNet connection between 9 seconds to 3600 seconds.
+The default DPD timeout is 45 seconds. You can specify a different DPD timeout value on each IPsec or VNet-to-VNet connection, from 9 seconds to 3600 seconds.
+
+> [!NOTE]
+> The default value is 45 seconds on Azure VPN gateways. Setting the timeout to shorter periods will cause IKE to rekey more aggressively, causing the connection to appear to be disconnected in some instances. This may not be desirable if your on-premises locations are farther away from the Azure region where the VPN gateway resides, or when the physical link condition could incur packet loss. The general recommendation is to set the timeout between **30 and 45** seconds.
 
 ### Does custom IPsec/IKE policy work on ExpressRoute connection?
 
@@ -131,6 +91,9 @@ If your static routing or route based IKEv1 connection is disconnecting at routi
 
 If your connection is reconnecting at random times, follow our [troubleshooting guide](../articles/vpn-gateway/vpn-gateway-troubleshoot-site-to-site-disconnected-intermittently.md).
 
-### Where can I find more configuration information for IPsec?
+### Where can I find configuration information and steps?
+
+See the following articles for more information and configuration steps.
 
-See [Configure IPsec/IKE policy for S2S or VNet-to-VNet connections](../articles/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell.md).
+* [Configure IPsec/IKE policy for S2S or VNet-to-VNet connections - Azure portal](../articles/vpn-gateway/ipsec-ike-policy-howto.md)
+* [Configure IPsec/IKE policy for S2S or VNet-to-VNet connections - Azure PowerShell](../articles/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell.md)

includes/vpn-gateway-ipsec-ike-algorithm-include.md

@@ -1,7 +1,7 @@
 ---
 author: cherylmc
 ms.author: cherylmc
-ms.date: 01/11/2023
+ms.date: 01/30/2023
 ms.service: vpn-gateway
 ms.topic: include
 ---

includes/vpn-gateway-ipsec-ike-requirements-include.md

@@ -28,9 +28,9 @@ ms.topic: include
 
 * IKE Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways.
 
-* If you set **UsePolicyBasedTrafficSelectors** to $True on a connection, it will configure the Azure VPN gateway to connect to policy-based VPN firewall on premises. If you enable PolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any.
+* 'UsePolicyBasedTrafficSelectors' is an optional parameter on the connection. If you set **UsePolicyBasedTrafficSelectors** to $True on a connection, it will configure the Azure VPN gateway to connect to policy-based VPN firewall on premises. If you enable PolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any.
 
-   For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:
+  For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:
 
   * 10.1.0.0/16 <====> 192.168.0.0/16
   * 10.1.0.0/16 <====> 172.16.0.0/16