Configure a custom IPsec policy for Virtual WAN using the portal
You can configure a custom IPsec policy for a Virtual WAN VPN connection in the Azure portal. Custom policies are helpful when you want both sides (on-premises and Azure VPN gateway) to use the same settings for IKE Phase 1 and IKE Phase 2.
Working with custom policies
When working with custom IPsec policies, keep in mind the following requirements:
- IKE - For IKE, you can select any parameter from IKE Encryption, plus any parameter from IKE Integrity, plus any parameter from DH Group.
- IPsec - For IPsec, you can select any parameter from IPsec Encryption, plus any parameter from IPsec Integrity, plus PFS. If any of the parameters for IPsec Encryption or IPsec Integrity is GCM, then the parameters for both settings must be GCM.
The default custom policy includes SHA1, DHGroup2, and 3DES for backward compatibility. These are weaker algorithms that aren't supported when creating a custom policy. We recommend only using the following algorithms:
Available settings and parameters
| Setting | Parameters |
|---|---|
| IKE Encryption | GCMAES256, GCMAES128, AES256, AES128 |
| IKE Integrity | SHA384, SHA256 |
| DH Group | ECP384, ECP256, DHGroup24, DHGroup14 |
| IPsec Encryption | GCMAES256, GCMAES128, AES256, AES128, None |
| IPsec Integrity | GCMAES256, GCMAES128, SHA256 |
| PFS Group | ECP384, ECP256, PFS24, PFS14, None |
| SA Lifetime | integer; min. 300/ default 3600 seconds |
Configure a policy
Locate the virtual hub. In the Azure portal, go to your Virtual WAN resource and locate the virtual hub that your VPN site is connected to.
Select the VPN site. From the hub overview page, click VPN (Site to site) and select the VPN Site for which you want to set up a custom IPsec policy.
Edit the VPN connection. From the Context menu ..., select Edit VPN Connection.
Configure the settings. On the Edit VPN connection page, change the IPsec setting from default to custom and customize the IPsec policy. Select Save to save your settings.
Next steps
To learn more about Virtual WAN, see the Virtual WAN Overview page.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for