Configure a Point-to-Site VPN connection to a VNet using multiple authentication types: Azure portal
This article helps you securely connect individual clients running Windows, Linux, or macOS to an Azure VNet. Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location, such when you are telecommuting from home or a conference. You can also use P2S instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2. For more information about Point-to-Site VPN, see About Point-to-Site VPN.
For more information about point-to-site VPN, see About point-to-site VPN. To create this configuration using the Azure PowerShell, see Configure a point-to-site VPN using Azure PowerShell.
Multiple authentication types on the same VPN gateway are only supported with OpenVPN tunnel type.
You can use the following values to create a test environment, or refer to these values to better understand the examples in this article:
- VNet Name: VNet1
- Address space: 10.1.0.0/16
For this example, we use only one address space. You can have more than one address space for your VNet.
- Subnet name: FrontEnd
- Subnet address range: 10.1.0.0/24
- Subscription: If you have more than one subscription, verify that you are using the correct one.
- Resource Group: TestRG1
- Location: East US
- GatewaySubnet: 10.1.255.0/27
- Virtual network gateway name: VNet1GW
- Gateway type: VPN
- VPN type: Route-based
- Public IP address name: VNet1GWpip
- Connection type: Point-to-site
- Client address pool: 172.16.201.0/24
VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the client address pool.
Create a virtual network
When using a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. Additionally, if you want to connect this virtual network to another virtual network, the address space cannot overlap with the other virtual network. Plan your network configuration accordingly.
Sign in to the Azure portal.
In Search resources, service, and docs (G+/), type virtual network.
Select Virtual Network from the Marketplace results.
On the Virtual Network page, select Create.
Once you select Create, the Create virtual network page opens.
On the Basics tab, configure Project details and Instance details VNet settings.
When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. Some values are autofilled, which you can replace with your own values:
- Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by using the drop-down.
- Resource group: Select an existing resource group, or click Create new to create a new one. For more information about resource groups, see Azure Resource Manager overview.
- Name: Enter the name for your virtual network.
- Region: Select the location for your VNet. The location determines where the resources that you deploy to this VNet will live.
On the IP Addresses tab, configure the values. The values shown in the examples below are for demonstration purposes. Adjust these values according to the settings that you require.
- IPv4 address space: By default, an address space is automatically created. You can click the address space to adjust it to reflect your own values. You can also add additional address spaces.
- Subnet: If you use the default address space, a default subnet is created automatically. If you change the address space, you need to add a subnet. Select + Add subnet to open the Add subnet window. Configure the following settings and then select Add to add the values:
- Subnet name: In this example, we named the subnet "FrontEnd".
- Subnet address range: The address range for this subnet.
On the Security tab, at this time, leave the default values:
- DDos protection: Basic
- Firewall: Disabled
Select Review + create to validate the virtual network settings.
After the settings have been validated, select Create.
Virtual network gateway
In this step, you create the virtual network gateway for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.
The Basic gateway SKU does not support OpenVPN tunnel type.
The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. We recommend that you create a gateway subnet that uses a /27 or /28.
If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. You may not have enough IP addresses available in the address range you created for your virtual network. For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.
From the Azure portal, in Search resources, services, and docs (G+/) type virtual network gateway. Locate Virtual network gateway in the search results and select it.
On the Virtual network gateway page, select + Add. This opens the Create virtual network gateway page.
On the Basics tab, fill in the values for your virtual network gateway.
- Subscription: Select the subscription you want to use from the dropdown.
- Resource Group: This setting is autofilled when you select your virtual network on this page.
- Name: Name your gateway. Naming your gateway not the same as naming a gateway subnet. It's the name of the gateway object you are creating.
- Region: Select the region in which you want to create this resource. The region for the gateway must be the same as the virtual network.
- Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
- VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-based VPN type.
- SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN type you select. Make sure to select a SKU that supports the features you want to use. For more information about gateway SKUs, see Gateway SKUs.
- Generation: For information about VPN Gateway Generation, see Gateway SKUs.
- Virtual network: From the dropdown, select the virtual network to which you want to add this gateway.
- Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. If possible, make the range /27 or larger (/26,/25 etc.). We don't recommend creating a range any smaller than /28. If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. Click Subnets to view the range. If you want to change the range, you can delete and recreate the GatewaySubnet.
Public IP address
This setting specifies the public IP address object that gets associated to the VPN gateway. The public IP address is dynamically assigned to this object when the VPN gateway is created. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.
- Public IP address: Leave Create new selected.
- Public IP address name: In the text box, type a name for your public IP address instance.
- Assignment: VPN gateway supports only Dynamic.
- Enable active-active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. Otherwise, leave this setting Disabled.
- Leave Configure BGP as Disabled, unless your configuration specifically requires this setting. If you do require this setting, the default ASN is 65515, although this can be changed.
Select Review + create to run validation.
Once validation passes, select Create to deploy the VPN gateway.
A gateway can take up to 45 minutes to fully create and deploy. You can see the deployment status on the Overview page for your gateway. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.
Client address pool
The client address pool is a range of private IP addresses that you specify. The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range. Use a private IP address range that does not overlap with the on-premises location that you connect from, or the VNet that you want to connect to. If you configure multiple protocols and SSTP is one of the protocols, then the configured address pool is split between the configured protocols equally.
Once the virtual network gateway has been created, navigate to the Settings section of the virtual network gateway page. In Settings, select Point-to-site configuration. Select Configure now to open the configuration page.
On the Point-to-site configuration page, you can configure a variety of settings. In the Address pool box, add the private IP address range that you want to use. VPN clients dynamically receive an IP address from the range that you specify. The minimum subnet mask is 29 bit for active/passive and 28 bit for active/active configuration.
Continue to the next section to configure authentication and tunnel types.
Authentication and tunnel types
In this section, you configure authentication type and tunnel type. On the Point-to-site configuration page, if you don't see Tunnel type or Authentication type, your gateway is using the Basic SKU. The Basic SKU does not support IKEv2 or RADIUS authentication. If you want to use these settings, you need to delete and recreate the gateway using a different gateway SKU.
On the Point-to-site configuration page, select OpenVPN (SSL) as the tunnel type.
For Authentication type, select the desired types. Options are:
- Azure certificate
- Azure Active Directory
Depending on the authentication type(s) selected, you will see different configuration setting fields that will have to be filled in. Fill in the required information and select Save at the top of the page to save all of the configuration settings.
For more information about authentication type, see:
VPN client configuration package
VPN clients must be configured with client configuration settings. The VPN client configuration package contains files with the settings to configure VPN clients in order to connect to a VNet over a P2S connection.
For instructions to generate and install VPN client configuration files, use the article that pertains to your configuration:
- Create and install VPN client configuration files for native Azure certificate authentication P2S configurations.
- Azure Active Directory authentication: Configure a VPN client for P2S OpenVPN protocol connections.
This section contains FAQ information that pertains to Point-to-Site configurations. You can also view the VPN Gateway FAQ for additional information about VPN Gateway.
How many VPN client endpoints can I have in my Point-to-Site configuration?
It depends on the gateway SKU. For more information on the number of connections supported, see Gateway SKUs.
What client operating systems can I use with Point-to-Site?
The following client operating systems are supported:
- Windows Server 2008 R2 (64-bit only)
- Windows 8.1 (32-bit and 64-bit)
- Windows Server 2012 (64-bit only)
- Windows Server 2012 R2 (64-bit only)
- Windows Server 2016 (64-bit only)
- Windows Server 2019 (64-bit only)
- Windows 10
- macOS version 10.11 or above
- Linux (StrongSwan)
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. To maintain support, see the updates to enable support for TLS1.2.
Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:
- RC4 (Rivest Cipher 4)
- DES (Data Encryption Algorithm)
- 3DES (Triple Data Encryption Algorithm)
- MD5 (Message Digest 5)
How do I enable support for TLS 1.2 in Windows 8.1?
Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.
Run the following commands in the command prompt:
reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0 reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0 if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
Install the following updates:
Reboot the computer.
Connect to the VPN.
You will have to set the above registry key if you are running an older version of Windows 10 (10240).
Can I traverse proxies and firewalls using Point-to-Site capability?
Azure supports three types of Point-to-site VPN options:
Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.
OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.
IKEv2 VPN. IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50. Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.
If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?
By default, the client computer will not reestablish the VPN connection automatically.
Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?
Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.
Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?
Yes. For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. For the classic deployment model, you need a dynamic gateway. We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.
Can I configure a Point-to-Site client to connect to multiple virtual network gateways at the same time?
Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to do not have conflicting address spaces between them or the network from with the client is connecting from. While the Azure VPN Client supports many VPN connections, only one connection can be Connected at any given time.
Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?
Yes, Point-to-Site client connections to a virtual network gateway that is deployed in a VNet which is peered with other VNets may have access to other peered VNets. Point-to-Site clients will be able to connect to peered VNets as long as the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features. For more information, see About Point-to-Site routing.
How much throughput can I expect through Site-to-Site or Point-to-Site connections?
It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols. Throughput is also limited by the latency and bandwidth between your premises and the Internet. For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. For more information on throughput, see Gateway SKUs.
Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?
No. You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. Refer to the list of supported client operating systems.
Can I change the authentication type for a Point-to-Site connection?
Yes. In the portal, navigate to the VPN gateway -> Point-to-site configuration page. For Authentication type, select the authentication types that you want to use . Please note that after you make a change to an authentication type, current clients may not be able to connect until a new VPN client configuration profile has been generated, downloaded, and applied to each VPN client.
Does Azure support IKEv2 VPN with Windows?
IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2, you must install updates and set a registry key value locally. OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.
To prepare Windows 10 or Server 2016 for IKEv2:
Install the update.
OS version Date Number/Link Windows Server 2016
Windows 10 Version 1607
January 17, 2018 KB4057142 Windows 10 Version 1703 January 17, 2018 KB4057144 Windows 10 Version 1709 March 22, 2018 KB4089848
Set the registry key value. Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.
What happens when I configure both SSTP and IKEv2 for P2S VPN connections?
When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX will only connect via IKEv2.
Other than Windows and Mac, which other platforms does Azure support for P2S VPN?
Azure supports Windows, Mac, and Linux for P2S VPN.
I already have an Azure VPN Gateway deployed. Can I enable RADIUS and/or IKEv2 VPN on it?
Yes, if the gateway SKU that you are using supports RADIUS and/or IKEv2, you can enable these features on gateways that you've already deployed by using PowerShell or the Azure portal. Note that the Basic SKU does not support RADIUS or IKEv2.
How do I remove the configuration of a P2S connection?
A P2S configuration can be removed using Azure CLI and PowerShell using the following commands:
$gw=Get-AzVirtualNetworkGateway -name <gateway-name>` $gw.VPNClientConfiguration = $null` Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`
az network vnet-gateway update --name <gateway-name> --resource-group <resource-group name> --remove "vpnClientConfiguration"
What should I do if I'm getting a certificate mismatch when connecting using certificate authentication?
Uncheck "Verify the server's identity by validating the certificate" or add the server FQDN along with the certificate when creating a profile manually. You can do this by running rasphone from a command prompt and picking the profile from the drop-down list.
Bypassing server identity validation is not recommended in general, but with Azure certificate authentication, the same certificate is being used for server validation in the VPN tunneling protocol (IKEv2/SSTP) and the EAP protocol. Since the server certificate and FQDN is already validated by the VPN tunneling protocol, it is redundant to validate the same again in EAP.
Can I use my own internal PKI root CA to generate certificates for Point-to-Site connectivity?
Yes. Previously, only self-signed root certificates could be used. You can still upload 20 root certificates.
Can I use certificates from Azure Key Vault?
What tools can I use to create certificates?
You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.
Are there instructions for certificate settings and parameters?
Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.
Azure PowerShell: See the Azure PowerShell article for steps.
MakeCert: See the MakeCert article for steps.
When exporting certificates, be sure to convert the root certificate to Base64.
For the client certificate:
- When creating the private key, specify the length as 4096.
- When creating the certificate, for the -extensions parameter, specify usr_cert.
Once your connection is complete, you can add virtual machines to your virtual networks. For more information, see Virtual Machines. To understand more about networking and virtual machines, see Azure and Linux VM network overview.
For P2S troubleshooting information, Troubleshooting Azure point-to-site connections.