Skip to content

Commit e3f2dcb

Browse files
committed
Another article
1 parent 8c72782 commit e3f2dcb

File tree

1 file changed

+4
-155
lines changed

1 file changed

+4
-155
lines changed

azure-stack/user/azure-stack-vpn-s2s.md

Lines changed: 4 additions & 155 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: sethmanheim
55
ms.custom:
66
- devx-track-azurepowershell
77
ms.topic: how-to
8-
ms.date: 01/21/2025
8+
ms.date: 08/12/2025
99
ms.author: sethm
1010
ms.lastreviewed: 11/22/2020
1111

@@ -28,7 +28,7 @@ This article provides instructions on how to create and configure an IPsec/IKE p
2828

2929
Note the following important considerations when using these policies:
3030

31-
- The IPsec/IKE policy only works on the *Standard* and *HighPerformance* (route-based) gateway SKUs.
31+
- The IPsec/IKE policy only works on the **Standard** and **HighPerformance** (route-based) gateway SKUs.
3232
- You can only specify one policy combination for a given connection.
3333
- You must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). Partial policy specification is not allowed.
3434
- Consult with your VPN device vendor specifications to ensure the policy is supported on your on-premises VPN devices. Site-to-site connections can't be established if the policies are incompatible.
@@ -149,30 +149,16 @@ Make sure you switch to PowerShell mode to use the Resource Manager cmdlets. For
149149

150150
Open your PowerShell console and connect to your account; for example:
151151

152-
### [Az modules](#tab/az1)
153-
154152
```powershell
155153
Connect-AzAccount
156154
Select-AzSubscription -SubscriptionName $Sub1
157155
New-AzResourceGroup -Name $RG1 -Location $Location1
158156
```
159157

160-
### [AzureRM modules](#tab/azurerm1)
161-
162-
```powershell
163-
Connect-AzureRMAccount
164-
Select-AzureRMSubscription -SubscriptionName $Sub1
165-
New-AzureRMResourceGroup -Name $RG1 -Location $Location1
166-
```
167-
168-
---
169-
170158
#### Create the virtual network, VPN gateway, and local network gateway
171159

172160
The following example creates the virtual network, **TestVNet1**, along with three subnets and the VPN gateway. When substituting values, it's important that you specifically name your gateway subnet **GatewaySubnet**. If you name it something else, your gateway creation fails.
173161

174-
### [Az modules](#tab/az2)
175-
176162
```powershell
177163
$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1
178164
$besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
@@ -199,35 +185,6 @@ New-AzLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1 `
199185
$LNGPrefix61,$LNGPrefix62
200186
```
201187

202-
### [AzureRM modules](#tab/azurerm2)
203-
204-
```powershell
205-
$fesub1 = New-AzureRMVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1
206-
$besub1 = New-AzureRMVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
207-
$gwsub1 = New-AzureRMVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1
208-
209-
New-AzureRMVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 -Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1
210-
211-
$gw1pip1 = New-AzureRMPublicIpAddress -Name $GW1IPName1 -ResourceGroupName $RG1 -Location $Location1 -AllocationMethod Dynamic
212-
213-
$vnet1 = Get-AzureRMVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1
214-
215-
$subnet1 = Get-AzureRMVirtualNetworkSubnetConfig -Name "GatewaySubnet" `
216-
-VirtualNetwork $vnet1
217-
218-
$gw1ipconf1 = New-AzureRMVirtualNetworkGatewayIpConfig -Name $GW1IPconf1 `
219-
-Subnet $subnet1 -PublicIpAddress $gw1pip1
220-
221-
New-AzureRMVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 `
222-
-Location $Location1 -IpConfigurations $gw1ipconf1 -GatewayType Vpn `
223-
-VpnType RouteBased -GatewaySku VpnGw1
224-
225-
New-AzureRMLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1 `
226-
-Location $Location1 -GatewayIpAddress $LNGIP6 -AddressPrefix `
227-
$LNGPrefix61,$LNGPrefix62
228-
```
229-
---
230-
231188
### Step 2 - Create a site-to-site VPN connection with an IPsec/IKE policy
232189

233190
#### Create an IPsec/IKE policy
@@ -237,46 +194,23 @@ This sample script creates an IPsec/IKE policy with the following algorithms and
237194
- IKEv2: AES128, SHA1, DHGroup14
238195
- IPsec: AES256, SHA256, none, SA Lifetime 14400 seconds, and 102400000KB
239196

240-
### [Az modules](#tab/az3)
241-
242197
```powershell
243198
$ipsecpolicy6 = New-AzIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup none -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000
244199
```
245200

246-
### [AzureRM modules](#tab/azurerm3)
247-
248-
```powershell
249-
$ipsecpolicy6 = New-AzureRMIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup none -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000
250-
```
251-
252-
---
253-
254201
If you use GCMAES for IPsec, you must use the same GCMAES algorithm and key length for both IPsec encryption and integrity.
255202

256203
#### Create the site-to-site VPN connection with the IPsec/IKE policy
257204

258205
Create a site-to-site VPN connection and apply the IPsec/IKE policy you created previously:
259206

260-
### [Az modules](#tab/az4)
261-
262207
```powershell
263208
$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
264209
$lng6 = Get-AzLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1
265210
266211
New-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -IpsecPolicies $ipsecpolicy6 -SharedKey 'Azs123'
267212
```
268213

269-
### [AzureRM modules](#tab/azurerm4)
270-
271-
```powershell
272-
$vnet1gw = Get-AzureRMVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
273-
$lng6 = Get-AzureRMLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1
274-
275-
New-AzureRMVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -IpsecPolicies $ipsecpolicy6 -SharedKey 'Azs123'
276-
```
277-
278-
---
279-
280214
> [!IMPORTANT]
281215
> Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway only sends or accepts the IPsec/IKE proposal with specified cryptographic algorithms and key strengths on that particular connection. Make sure your on-premises VPN device for the connection uses or accepts the exact policy combination, otherwise the site-to-site VPN tunnel cannot be established.
282216
@@ -295,8 +229,6 @@ The previous section showed how to manage IPsec/IKE policy for an existing site-
295229

296230
The following example shows how to get the IPsec/IKE policy configured on a connection. The scripts also continue from the previous exercises.
297231

298-
### [Az modules](#tab/az5)
299-
300232
```powershell
301233
$RG1 = "TestPolicyRG1"
302234
$Connection16 = "VNet1toSite6"
@@ -317,38 +249,12 @@ DhGroup : DHGroup14
317249
PfsGroup : None
318250
```
319251

320-
### [AzureRM modules](#tab/azurerm5)
321-
322-
```powershell
323-
$RG1 = "TestPolicyRG1"
324-
$Connection16 = "VNet1toSite6"
325-
$connection6 = Get-AzureRMVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
326-
$connection6.IpsecPolicies
327-
```
328-
329-
The last command lists the current IPsec/IKE policy configured on the connection, if any. The following example is a sample output for the connection:
330-
331-
```output
332-
SALifeTimeSeconds : 14400
333-
SADataSizeKilobytes : 102400000
334-
IpsecEncryption : AES256
335-
IpsecIntegrity : SHA256
336-
IkeEncryption : AES128
337-
IkeIntegrity : SHA1
338-
DhGroup : DHGroup14
339-
PfsGroup : None
340-
```
341-
342-
---
343-
344252
If there's no IPsec/IKE policy configured, the command `$connection6.policy` gets an empty return. It does not mean that IPsec/IKE isn't configured on the connection; it means there's no custom IPsec/IKE policy. The actual connection uses the default policy negotiated between your on-premises VPN device and the Azure VPN gateway.
345253

346254
### Add or update an IPsec/IKE policy for a connection
347255

348256
The steps to add a new policy or update an existing policy on a connection are the same: create a new policy, then apply the new policy to the connection.
349257

350-
### [Az modules](#tab/az8)
351-
352258
```powershell
353259
$RG1 = "TestPolicyRG1"
354260
$Connection16 = "VNet1toSite6"
@@ -361,26 +267,8 @@ $connection6.SharedKey = "AzS123"
361267
Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -IpsecPolicies $newpolicy6
362268
```
363269

364-
### [AzureRM modules](#tab/azurerm8)
365-
366-
```powershell
367-
$RG1 = "TestPolicyRG1"
368-
$Connection16 = "VNet1toSite6"
369-
$connection6 = Get-AzureRMVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
370-
371-
$newpolicy6 = New-AzureRMIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000
372-
373-
$connection6.SharedKey = "AzS123"
374-
375-
Set-AzureRMVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -IpsecPolicies $newpolicy6
376-
```
377-
378-
---
379-
380270
You can get the connection again to check if the policy is updated:
381271

382-
### [Az modules](#tab/az6)
383-
384272
```powershell
385273
$connection6 = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
386274
$connection6.IpsecPolicies
@@ -399,34 +287,10 @@ DhGroup : DHGroup14
399287
PfsGroup : None
400288
```
401289

402-
### [AzureRM modules](#tab/azurerm6)
403-
404-
```powershell
405-
$connection6 = Get-AzureRMVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
406-
$connection6.IpsecPolicies
407-
```
408-
409-
You should see the output from the last line, as shown in the following example:
410-
411-
```output
412-
SALifeTimeSeconds : 14400
413-
SADataSizeKilobytes : 102400000
414-
IpsecEncryption : AES256
415-
IpsecIntegrity : SHA256
416-
IkeEncryption : AES128
417-
IkeIntegrity : SHA1
418-
DhGroup : DHGroup14
419-
PfsGroup : None
420-
```
421-
422-
---
423-
424290
### 3. Remove an IPsec/IKE policy from a connection
425291

426292
After you remove the custom policy from a connection, the Azure VPN gateway reverts to the [default IPsec/IKE proposal](azure-stack-vpn-gateway-settings.md#ipsecike-parameters), and renegotiates with your on-premises VPN device.
427293

428-
### [Az modules](#tab/az7)
429-
430294
```powershell
431295
$RG1 = "TestPolicyRG1"
432296
$Connection16 = "VNet1toSite6"
@@ -438,23 +302,8 @@ $connection6.IpsecPolicies.Remove($currentpolicy)
438302
Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6
439303
```
440304

441-
### [AzureRM modules](#tab/azurerm7)
442-
443-
```powershell
444-
$RG1 = "TestPolicyRG1"
445-
$Connection16 = "VNet1toSite6"
446-
$connection6 = Get-AzureRMVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
447-
$connection6.SharedKey = "AzS123"
448-
$currentpolicy = $connection6.IpsecPolicies[0]
449-
$connection6.IpsecPolicies.Remove($currentpolicy)
450-
451-
Set-AzureRMVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6
452-
```
453-
454-
---
455-
456-
You can use the same script to check if the policy has been removed from the connection.
305+
You can use the same script to check if the policy was removed from the connection.
457306

458307
## Next steps
459308

460-
- [VPN gateway configuration settings for Azure Stack Hub](azure-stack-vpn-gateway-settings.md)
309+
[VPN gateway configuration settings for Azure Stack Hub](azure-stack-vpn-gateway-settings.md)

0 commit comments

Comments
 (0)