Cisco have removed Diffie-Hellman Group 2 (see below) but Microsoft Azure VPN Basic Gateway utilizes Diffie-Hellman Group 2 by default for Site2Site VPN. As a result you need to setup a custom IPSEC/IKE policy which is not supported in the Basic VPN Gateway SKU which would require upgrading to at least the next SKU ( VpnGW1). The issue I have is the VPN is to connect to a single virtual machine in Azure, the basic VPN is approx. £20 per month while the next model is approx. £104 per month which is more expensive that the VM itself. Has anyone come across this and is there any workaround ? I can't see how I can recommend migrating a single VM into Azure with a Site2Site VPN with the cost.
Diffie-Hellman GROUP 5 is deprecated for IKEv1 and removed for IKEv2
Diffie-Hellman groups 2 and 24 have been removed.
Encryption algorithms: 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256 have been removed.
Custom IPsec/IKE policy is supported on all Azure SKUs except the Basic SKU.*
[1]: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto