Configure a custom IPsec policy for Virtual WAN using the portal

You can configure a custom IPsec policy for a Virtual WAN VPN connection in the Azure portal. Custom policies are helpful when you want both sides (on-premises and Azure VPN gateway) to use the same settings for IKE Phase 1 and IKE Phase 2.

Working with custom policies

When working with custom IPsec policies, keep in mind the following requirements:

  • IKE - For IKE, you can select any parameter from IKE Encryption, plus any parameter from IKE Integrity, plus any parameter from DH Group.
  • IPsec - For IPsec, you can select any parameter from IPsec Encryption, plus any parameter from IPsec Integrity, plus PFS. If any of the parameters for IPsec Encryption or IPsec Integrity is GCM, then the parameters for both settings must be GCM.

Note

With Custom IPsec policies, there is no concept of responder and initiator (unlike Default IPsec policies). Both sides (on-premises and Azure VPN gateway) will use the same settings for IKE Phase 1 and IKE Phase 2. Both IKEv1 and IKEv2 protocols are supported.

Available settings and parameters

Setting Parameters
IKE Encryption GCMAES256, GCMAES128, AES256, AES128
IKE Integrity SHA384, SHA256
DH Group ECP384, ECP256, DHGroup24, DHGroup14
IPsec Encryption GCMAES256, GCMAES128, AES256, AES128, None
IPsec Integrity GCMAES256, GCMAES128, SHA256
PFS Group ECP384, ECP256, PFS24, PFS14, None
SA Lifetime integer; min. 300/ default 3600 seconds

Configure a policy

  1. Locate the virtual hub. From a browser, navigate to the Azure portal and sign in with your Azure account. Navigate to your Virtual WAN resource and locate the virtual hub that your VPN site is connected to.

  2. Select the VPN site. From the hub overview page, click VPN (Site to site) and select the VPN Site for which you want to set up a custom IPsec policy.

    select

  3. Edit the VPN connection. From the Context menu ..., select Edit VPN Connection.

    edit

  4. Configure the settings. On the Edit VPN connection page, change the IPsec setting from default to custom and customize the IPsec policy. Select Save to save your settings.

    configure and save

Next steps

To learn more about Virtual WAN, see the Virtual WAN Overview page.