|
| 1 | +--- |
| 2 | +title: 'Transition to OpenVPN or IKEv2 from SSTP | Azure VPN Gateway' |
| 3 | +description: This article helps you understand the ways to overcome the 128 concurrent connection limit of SSTP. |
| 4 | +services: vpn-gateway |
| 5 | +author: anzaman |
| 6 | + |
| 7 | +ms.service: vpn-gateway |
| 8 | +ms.topic: conceptual |
| 9 | +ms.date: 03/22/2020 |
| 10 | +ms.author: alzam |
| 11 | + |
| 12 | +--- |
| 13 | +# Transition to OpenVPN protocol or IKEv2 from SSTP |
| 14 | + |
| 15 | +A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This article applies to the Resource Manager deployment model and talks about ways to overcome the 128 concurrent connection limit of SSTP by transitioning to OpenVPN protocol or IKEv2. |
| 16 | + |
| 17 | +## <a name="protocol"></a>What protocol does P2S use? |
| 18 | + |
| 19 | +Point-to-site VPN can use one of the following protocols: |
| 20 | + |
| 21 | +* **OpenVPN® Protocol**, an SSL/TLS based VPN protocol. An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (OSX versions 10.13 and above). |
| 22 | + |
| 23 | +* **Secure Socket Tunneling Protocol (SSTP)**, a proprietary SSL-based VPN protocol. An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP (Windows 7 and later). **SSTP supports up to 128 concurrent connections only regardless of the gateway SKU**. |
| 24 | + |
| 25 | +* IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above). |
| 26 | + |
| 27 | + |
| 28 | +>[!NOTE] |
| 29 | +>IKEv2 and OpenVPN for P2S are available for the Resource Manager deployment model only. They are not available for the classic deployment model. Basic gateway SKU does not support IKEv2 or OpenVPN protocols. If you are using the basic SKU, you will have to delete and recreate a production SKU Virtual Network Gateway. |
| 30 | +> |
| 31 | +
|
| 32 | +## Migrating from SSPT to IKEv2 or OpenVPN |
| 33 | + |
| 34 | +There may be cases when you want to support more than 128 concurrent P2S connection to a VPN gateway but are using SSTP. In such a case, you need to move to IKEv2 or OpenVPN protocol. |
| 35 | + |
| 36 | +### Option 1 - Add IKEv2 in addition to SSTP on the Gateway |
| 37 | + |
| 38 | +This is the simplest option. SSTP and IKEv2 can coexist on the same gateway and give you a higher number of concurrent connections. You can simply enable IKEv2 on the existing gateway and redownload the client. |
| 39 | + |
| 40 | +Adding IKEv2 to an existing SSTP VPN gateway will not affect existing clients and you can configure them to use IKEv2 in small batches or just configure the new clients to use IKEv2. If a Windows client is configured for both SSTP and IKEv2, it will try to connect using IKEV2 first and if that fails, it will fall back to SSTP. |
| 41 | + |
| 42 | +**IKEv2 uses non-standard UDP ports so you need to ensure that these ports are not blocked on the user's firewall. The ports in use are UDP 500 and 4500.** |
| 43 | + |
| 44 | +To add IKEv2 to an existing gateway, simply go to the "point-to-site configuration" tab under the Virtual Network Gateway in portal, and select **IKEv2 and SSTP (SSL)** from the drop-down box. |
| 45 | + |
| 46 | + |
| 47 | + |
| 48 | + |
| 49 | +### Option 2 - Remove SSTP and enable OpenVPN on the Gateway |
| 50 | + |
| 51 | +Since SSTP and OpenVPN are both TLS-based protocol, they cannot coexist on the same gateway. If you decide to move away from SSTP to OpenVPN, you will have to disable SSTP and enable OpenVPN on the gateway. This operation will cause the existing clients to lose connectivity to the VPN gateway until the new profile has been configured on the client. |
| 52 | + |
| 53 | +You can enable OpenVPN along side with IKEv2 if you desire. OpenVPN is TLS-based and uses the standard TCP 443 port. To switch to OpenVPN, go to the "point-to-site configuration" tab under the Virtual Network Gateway in portal, and select **OpenVPN (SSL)** or **IKEv2 and OpenVPN (SSL)** from the drop-down box. |
| 54 | + |
| 55 | + |
| 56 | + |
| 57 | +Once the gateway has been configured, existing clients will not be able to connect until you [deploy and configure the OpenVPN Clients](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients). |
| 58 | + |
| 59 | +If you are using Windows 10, you can also use the [Azure VPN Client for Windows](https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-client#to-download-the-azure-vpn-client) |
| 60 | + |
| 61 | + |
| 62 | +## Frequently asked questions |
| 63 | +### What are the client configuration requirements? |
| 64 | + |
| 65 | +>[!NOTE] |
| 66 | +>For Windows clients, you must have administrator rights on the client device in order to initiate the VPN connection from the client device to Azure. |
| 67 | +> |
| 68 | +
|
| 69 | +Users use the native VPN clients on Windows and Mac devices for P2S. Azure provides a VPN client configuration zip file that contains settings required by these native clients to connect to Azure. |
| 70 | + |
| 71 | +* For Windows devices, the VPN client configuration consists of an installer package that users install on their devices. |
| 72 | +* For Mac devices, it consists of the mobileconfig file that users install on their devices. |
| 73 | + |
| 74 | +The zip file also provides the values of some of the important settings on the Azure side that you can use to create your own profile for these devices. Some of the values include the VPN gateway address, configured tunnel types, routes, and the root certificate for gateway validation. |
| 75 | + |
| 76 | +>[!NOTE] |
| 77 | +>[!INCLUDE [TLS version changes](../../includes/vpn-gateway-tls-change.md)] |
| 78 | +> |
| 79 | +
|
| 80 | +### <a name="gwsku"></a>Which gateway SKUs support P2S VPN? |
| 81 | + |
| 82 | +[!INCLUDE [aggregate throughput sku](../../includes/vpn-gateway-table-gwtype-aggtput-include.md)] |
| 83 | + |
| 84 | +* For Gateway SKU recommendations, see [About VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md#gwsku). |
| 85 | + |
| 86 | +>[!NOTE] |
| 87 | +>The Basic SKU does not support IKEv2 or RADIUS authentication. |
| 88 | +> |
| 89 | +
|
| 90 | +### <a name="IKE/IPsec policies"></a>What IKE/IPsec policies are configured on VPN gateways for P2S? |
| 91 | + |
| 92 | + |
| 93 | +**IKEv2** |
| 94 | + |
| 95 | +|**Cipher** | **Integrity** | **PRF** | **DH Group** | |
| 96 | +|--- | --- | --- | --- | |
| 97 | +|GCM_AES256 | GCM_AES256 | SHA384 | GROUP_24 | |
| 98 | +|GCM_AES256 | GCM_AES256 | SHA384 | GROUP_14 | |
| 99 | +|GCM_AES256 | GCM_AES256 | SHA384 | GROUP_ECP384 | |
| 100 | +|GCM_AES256 | GCM_AES256 | SHA384 | GROUP_ECP256 | |
| 101 | +|GCM_AES256 | GCM_AES256 | SHA256 | GROUP_24 | |
| 102 | +|GCM_AES256 | GCM_AES256 | SHA256 | GROUP_14 | |
| 103 | +|GCM_AES256 | GCM_AES256 | SHA256 | GROUP_ECP384 | |
| 104 | +|GCM_AES256 | GCM_AES256 | SHA256 | GROUP_ECP256 | |
| 105 | +|AES256 | SHA384 | SHA384 | GROUP_24 | |
| 106 | +|AES256 | SHA384 | SHA384 | GROUP_14 | |
| 107 | +|AES256 | SHA384 | SHA384 | GROUP_ECP384 | |
| 108 | +|AES256 | SHA384 | SHA384 | GROUP_ECP256 | |
| 109 | +|AES256 | SHA256 | SHA256 | GROUP_24 | |
| 110 | +|AES256 | SHA256 | SHA256 | GROUP_14 | |
| 111 | +|AES256 | SHA256 | SHA256 | GROUP_ECP384 | |
| 112 | +|AES256 | SHA256 | SHA256 | GROUP_ECP256 | |
| 113 | +|AES256 | SHA256 | SHA256 | GROUP_2 | |
| 114 | + |
| 115 | +**IPsec** |
| 116 | + |
| 117 | +|**Cipher** | **Integrity** | **PFS Group** | |
| 118 | +|--- | --- | --- | |
| 119 | +|GCM_AES256 | GCM_AES256 | GROUP_NONE | |
| 120 | +|GCM_AES256 | GCM_AES256 | GROUP_24 | |
| 121 | +|GCM_AES256 | GCM_AES256 | GROUP_14 | |
| 122 | +|GCM_AES256 | GCM_AES256 | GROUP_ECP384 | |
| 123 | +|GCM_AES256 | GCM_AES256 | GROUP_ECP256 | |
| 124 | +| AES256 | SHA256 | GROUP_NONE | |
| 125 | +| AES256 | SHA256 | GROUP_24 | |
| 126 | +| AES256 | SHA256 | GROUP_14 | |
| 127 | +| AES256 | SHA256 | GROUP_ECP384 | |
| 128 | +| AES256 | SHA256 | GROUP_ECP256 | |
| 129 | +| AES256 | SHA1 | GROUP_NONE | |
| 130 | + |
| 131 | +### <a name="TLS policies"></a>What TLS policies are configured on VPN gateways for P2S? |
| 132 | +**TLS** |
| 133 | + |
| 134 | +|**Policies** | |
| 135 | +|---| |
| 136 | +|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | |
| 137 | +|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
| 138 | +|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | |
| 139 | +|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | |
| 140 | +|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | |
| 141 | +|TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | |
| 142 | +|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | |
| 143 | +|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | |
| 144 | +|TLS_RSA_WITH_AES_128_GCM_SHA256 | |
| 145 | +|TLS_RSA_WITH_AES_256_GCM_SHA384 | |
| 146 | +|TLS_RSA_WITH_AES_128_CBC_SHA256 | |
| 147 | +|TLS_RSA_WITH_AES_256_CBC_SHA256 | |
| 148 | + |
| 149 | +### <a name="configure"></a>How do I configure a P2S connection? |
| 150 | + |
| 151 | +A P2S configuration requires quite a few specific steps. The following articles contain the steps to walk you through P2S configuration, and links to configure the VPN client devices: |
| 152 | + |
| 153 | +* [Configure a P2S connection - RADIUS authentication](point-to-site-how-to-radius-ps.md) |
| 154 | + |
| 155 | +* [Configure a P2S connection - Azure native certificate authentication](vpn-gateway-howto-point-to-site-rm-ps.md) |
| 156 | + |
| 157 | +* [Configure OpenVPN](vpn-gateway-howto-openvpn.md) |
| 158 | + |
| 159 | +## Next steps |
| 160 | + |
| 161 | +* [Configure a P2S connection - RADIUS authentication](point-to-site-how-to-radius-ps.md) |
| 162 | + |
| 163 | +* [Configure a P2S connection - Azure native certificate authentication](vpn-gateway-howto-point-to-site-rm-ps.md) |
| 164 | + |
| 165 | +**"OpenVPN" is a trademark of OpenVPN Inc.** |
0 commit comments