question

Chapter7-2723 avatar image
0 Votes"
Chapter7-2723 asked AndreasBaumgarten answered

Azure site to site vpn

Hi,
I have plan to create Azure site to site vpn.

Customer has configured below settings on his on-premise network.

Phase 1 & 2:
Encryption: AES256, HASH: SHA384, Diffie-Hellman:16

How to confiure azure site to site VPN with
these parameter?

Please help. Thanks

Regards

azure-virtual-networkazure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @Chapter7-2723 ,

the IPSEC/IKE settings for Azure SiteToSite connections can be be configured in the Azure Portal:
https://docs.microsoft.com/de-de/azure/vpn-gateway/ipsec-ike-policy-howto


or via PowerShell:
https://docs.microsoft.com/de-de/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chapter7-2723 avatar image
0 Votes"
Chapter7-2723 answered

Hi,

Azure is supporting on both phases (1 and 2) SHA 384 hash length and DH 16?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @Chapter7-2723 ,

these are the supported algorithms and keys:
https://docs.microsoft.com/de-de/azure/vpn-gateway/ipsec-ike-policy-howto#algorithms-and-keys

For IKE Integrity it's SHA384, SHA256, SHA1, MD5
For IPsec Integrityit's GCMASE256, GCMAES192, GCMAES128, SHA256, SHA1, MD5 -> SHA384 is not listed as supported und can't be select in the Azure Portal for that reason

"DH 16" ist not listed and supported.
https://docs.microsoft.com/de-de/azure/vpn-gateway/ipsec-ike-policy-howto#diffie-hellman-groups


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chapter7-2723 avatar image
0 Votes"
Chapter7-2723 answered

Hi,

So what do you suggest me, what should I recommend to the customer what parameters he should configure on-prmise side?



Regards

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered AndreasBaumgarten edited

Hi @Chapter7-2723 ,

my recommendation is:
Select the parameters based on your and your customers requirements and the available options on both VPN Gateway devices.

The BSI (Federal Office for Information Security) published a guide here (English): https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-3.pdf;jsessionid=F8FBBAFD83AB347BB242C1F4CBD9C826.internet461?__blob=publicationFile&v=2

And here is a document from NIST (National Institute of Standards and Technology)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf

Maybe there is an official guide like this available in your country as well..


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chapter7-2723 avatar image
0 Votes"
Chapter7-2723 answered AndreasBaumgarten commented

Hi

My customer can change his parameters according to the Maximum Azure supported parameters.


He asked me my suggestions. I do not have experience what should it be?


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Chapter7-2723 ,

if you should make a suggestion it might be a good idea to take a look on different sources with "recommendations" and the argumentation "why this recommendations are good or the right for you requirements".
The settings might consider the security and protection requirements of the VPN connection.
Just provide some values without knowing what does it mean, what might happen and without knowing the security and protection requirements are met is not the best idea. Just my opinion.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten


0 Votes 0 ·
27882454 avatar image
0 Votes"
27882454 answered

Hi,

If we will choose Site to Site (IPsec) and IKEv2 then by default which security parameters are selected?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @27882454 ,

the default IKE/IPSec parameters of the default policy you can find here:

https://docs.microsoft.com/de-de/azure/vpn-gateway/vpn-gateway-about-vpn-devices#default-ipsecike-parameters


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.