question

JoeDeally-5087 avatar image
0 Votes"
JoeDeally-5087 asked msrini-MSFT answered

Basic VPN Gateway and Custom IPsec/IKE policy not supported

Cisco have removed Diffie-Hellman Group 2 (see below) but Microsoft Azure VPN Basic Gateway utilizes Diffie-Hellman Group 2 by default for Site2Site VPN. As a result you need to setup a custom IPSEC/IKE policy which is not supported in the Basic VPN Gateway SKU which would require upgrading to at least the next SKU ( VpnGW1). The issue I have is the VPN is to connect to a single virtual machine in Azure, the basic VPN is approx. £20 per month while the next model is approx. £104 per month which is more expensive that the VM itself. Has anyone come across this and is there any workaround ? I can't see how I can recommend migrating a single VM into Azure with a Site2Site VPN with the cost.


Diffie-Hellman GROUP 5 is deprecated for IKEv1 and removed for IKEv2

Diffie-Hellman groups 2 and 24 have been removed.

Encryption algorithms: 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256 have been removed.
Custom IPsec/IKE policy is supported on all Azure SKUs except the Basic SKU.*


[1]: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto

azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

msrini-MSFT avatar image
0 Votes"
msrini-MSFT answered

@JoeDeally-5087,

If you feel Azure VPN gateway is costly, then you can go with any NVAs like Cisco which you can deploy in Azure and configure it to form a tunnel between Azure and On-Prem.

There you will not get any issues with the IKE policies.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.