You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: azure-stack/user/azure-stack-vpn-s2s.md
+4-155Lines changed: 4 additions & 155 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: sethmanheim
5
5
ms.custom:
6
6
- devx-track-azurepowershell
7
7
ms.topic: how-to
8
-
ms.date: 01/21/2025
8
+
ms.date: 08/12/2025
9
9
ms.author: sethm
10
10
ms.lastreviewed: 11/22/2020
11
11
@@ -28,7 +28,7 @@ This article provides instructions on how to create and configure an IPsec/IKE p
28
28
29
29
Note the following important considerations when using these policies:
30
30
31
-
- The IPsec/IKE policy only works on the *Standard* and *HighPerformance* (route-based) gateway SKUs.
31
+
- The IPsec/IKE policy only works on the **Standard** and **HighPerformance** (route-based) gateway SKUs.
32
32
- You can only specify one policy combination for a given connection.
33
33
- You must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). Partial policy specification is not allowed.
34
34
- Consult with your VPN device vendor specifications to ensure the policy is supported on your on-premises VPN devices. Site-to-site connections can't be established if the policies are incompatible.
@@ -149,30 +149,16 @@ Make sure you switch to PowerShell mode to use the Resource Manager cmdlets. For
149
149
150
150
Open your PowerShell console and connect to your account; for example:
#### Create the virtual network, VPN gateway, and local network gateway
171
159
172
160
The following example creates the virtual network, **TestVNet1**, along with three subnets and the VPN gateway. When substituting values, it's important that you specifically name your gateway subnet **GatewaySubnet**. If you name it something else, your gateway creation fails.
> Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway only sends or accepts the IPsec/IKE proposal with specified cryptographic algorithms and key strengths on that particular connection. Make sure your on-premises VPN device for the connection uses or accepts the exact policy combination, otherwise the site-to-site VPN tunnel cannot be established.
282
216
@@ -295,8 +229,6 @@ The previous section showed how to manage IPsec/IKE policy for an existing site-
295
229
296
230
The following example shows how to get the IPsec/IKE policy configured on a connection. The scripts also continue from the previous exercises.
The last command lists the current IPsec/IKE policy configured on the connection, if any. The following example is a sample output for the connection:
330
-
331
-
```output
332
-
SALifeTimeSeconds : 14400
333
-
SADataSizeKilobytes : 102400000
334
-
IpsecEncryption : AES256
335
-
IpsecIntegrity : SHA256
336
-
IkeEncryption : AES128
337
-
IkeIntegrity : SHA1
338
-
DhGroup : DHGroup14
339
-
PfsGroup : None
340
-
```
341
-
342
-
---
343
-
344
252
If there's no IPsec/IKE policy configured, the command `$connection6.policy` gets an empty return. It does not mean that IPsec/IKE isn't configured on the connection; it means there's no custom IPsec/IKE policy. The actual connection uses the default policy negotiated between your on-premises VPN device and the Azure VPN gateway.
345
253
346
254
### Add or update an IPsec/IKE policy for a connection
347
255
348
256
The steps to add a new policy or update an existing policy on a connection are the same: create a new policy, then apply the new policy to the connection.
You should see the output from the last line, as shown in the following example:
410
-
411
-
```output
412
-
SALifeTimeSeconds : 14400
413
-
SADataSizeKilobytes : 102400000
414
-
IpsecEncryption : AES256
415
-
IpsecIntegrity : SHA256
416
-
IkeEncryption : AES128
417
-
IkeIntegrity : SHA1
418
-
DhGroup : DHGroup14
419
-
PfsGroup : None
420
-
```
421
-
422
-
---
423
-
424
290
### 3. Remove an IPsec/IKE policy from a connection
425
291
426
292
After you remove the custom policy from a connection, the Azure VPN gateway reverts to the [default IPsec/IKE proposal](azure-stack-vpn-gateway-settings.md#ipsecike-parameters), and renegotiates with your on-premises VPN device.
0 commit comments