Site-to-site IPsec policies

This article shows the supported IPsec policy combinations.

Default IPsec policies

Note

When working with Default policies, Azure can act as both initiator and responder during an IPsec tunnel setup. There is no support for Azure as a responder only.

Initiator

The following sections list the supported policy combinations when Azure is the initiator for the tunnel.

Phase-1

  • AES_256, SHA1, DH_GROUP_2
  • AES_256, SHA_256, DH_GROUP_2
  • AES_128, SHA1, DH_GROUP_2
  • AES_128, SHA_256, DH_GROUP_2

Phase-2

  • GCM_AES_256, GCM_AES_256, PFS_NONE
  • AES_256, SHA_1, PFS_NONE
  • AES_256, SHA_256, PFS_NONE
  • AES_128, SHA_1, PFS_NONE

Responder

The following sections list the supported policy combinations when Azure is the responder for the tunnel.

Phase-1

  • AES_256, SHA1, DH_GROUP_2
  • AES_256, SHA_256, DH_GROUP_2
  • AES_128, SHA1, DH_GROUP_2
  • AES_128, SHA_256, DH_GROUP_2

Phase-2

  • GCM_AES_256, GCM_AES_256, PFS_NONE
  • AES_256, SHA_1, PFS_NONE
  • AES_256, SHA_256, PFS_NONE
  • AES_128, SHA_1, PFS_NONE
  • AES_256, SHA_1, PFS_1
  • AES_256, SHA_1, PFS_2
  • AES_256, SHA_1, PFS_14
  • AES_128, SHA_1, PFS_1
  • AES_128, SHA_1, PFS_2
  • AES_128, SHA_1, PFS_14
  • AES_256, SHA_256, PFS_1
  • AES_256, SHA_256, PFS_2
  • AES_256, SHA_256, PFS_14
  • AES_256, SHA_1, PFS_24
  • AES_256, SHA_256, PFS_24
  • AES_128, SHA_256, PFS_NONE
  • AES_128, SHA_256, PFS_1
  • AES_128, SHA_256, PFS_2
  • AES_128, SHA_256, PFS_14

Custom IPsec policies

When working with custom IPsec policies, keep in mind the following requirements:

  • IKE - For IKE, you can select any parameter from IKE Encryption, plus any parameter from IKE Integrity, plus any parameter from DH Group.
  • IPsec - For IPsec, you can select any parameter from IPsec Encryption, plus any parameter from IPsec Integrity, plus PFS. If any of the parameters for IPsec Encryption or IPsec Integrity is GCM, then the parameters for both settings must be GCM.

Note

With Custom IPsec policies, there is no concept of responder and initiator (unlike Default IPsec policies). Both sides (on-premises and Azure VPN gateway) will use the same settings for IKE Phase 1 and IKE Phase 2. Both IKEv1 and IKEv2 protocols are supported. There is no support for Azure as a responder only.

Available settings and parameters

Setting Parameters
IKE Encryption GCMAES256, GCMAES128, AES256, AES128
IKE Integrity SHA384, SHA256
DH Group ECP384, ECP256, DHGroup24, DHGroup14
IPsec Encryption GCMAES256, GCMAES128, AES256, AES128, None
IPsec Integrity GCMAES256, GCMAES128, SHA256
PFS Group ECP384, ECP256, PFS24, PFS14, None
SA Lifetime integer; min. 300/ default 27000 seconds

Next steps

For steps to configure a custom IPsec policy, see Configure a custom IPsec policy for Virtual WAN.

For more information about Virtual WAN, see About Azure Virtual WAN and the Azure Virtual WAN FAQ.