About cryptographic requirements and Azure VPN gateways

This article discusses how you can configure Azure VPN gateways to satisfy your cryptographic requirements for both cross-premises S2S VPN tunnels and VNet-to-VNet connections within Azure.

About IPsec and IKE policy parameters for Azure VPN gateways

IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations. If customers do not request a specific combination of cryptographic algorithms and parameters, Azure VPN gateways use a set of default proposals. The default policy sets were chosen to maximize interoperability with a wide range of third-party VPN devices in default configurations. As a result, the policies and the number of proposals cannot cover all possible combinations of available cryptographic algorithms and key strengths.

The default policy set for Azure VPN gateway is listed in the document: About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections.

Cryptographic requirements

For communications that require specific cryptographic algorithms or parameters, typically due to compliance or security requirements, customers can now configure their Azure VPN gateways to use a custom IPsec/IKE policy with specific cryptographic algorithms and key strengths, rather than the Azure default policy sets.

For example, the IKEv2 main mode policies for Azure VPN gateways utilize only Diffie-Hellman Group 2 (1024 bits), whereas customers may need to specify stronger groups to be used in IKE, such as Group 14 (2048-bit), Group 24 (2048-bit MODP Group), or ECP (elliptic curve groups) 256 or 384 bit (Group 19 and Group 20, respectively). Similar requirements apply to IPsec quick mode policies as well.

Custom IPsec/IKE policy with Azure VPN gateways

Azure VPN gateways now support per-connection, custom IPsec/IKE policy. For a Site-to-Site or VNet-to-VNet connection, you can choose a specific combination of cryptographic algorithms for IPsec and IKE with the desired key strength, as shown in the following example:

ipsec-ike-policy

You can create an IPsec/IKE policy and apply to a new or existing connection.

Workflow

  1. Create the virtual networks, VPN gateways, or local network gateways for your connectivity topology as described in other how-to documents
  2. Create an IPsec/IKE policy
  3. You can apply the policy when you create a S2S or VNet-to-VNet connection
  4. If the connection is already created, you can apply or update the policy to an existing connection

IPsec/IKE policy FAQ

Is Custom IPsec/IKE policy supported on all Azure VPN Gateway SKUs?

Custom IPsec/IKE policy is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance VPN gateways. Basic SKU is NOT supported.

How many policies can I specify on a connection?

You can only specify one policy combination for a given connection.

Can I specify a partial policy on a connection? (E.g., only IKE algorithms but not IPsec)

No, you must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). Partial policy specification is not allowed.

What are the algorithms and key strengths supported in the custom policy?

The table below lists the supported cryptographic algorithms and key strengths configurable by the customers. You must select one option for every field.

IPsec/IKEv2 Options
IKEv2 Encryption AES256, AES192, AES128, DES3, DES
IKEv2 Integrity SHA384, SHA256, SHA1, MD5
DH Group DHGroup24, ECP384, ECP256, DHGroup14 (DHGroup2048), DHGroup2, DHGroup1, None
IPsec Encryption GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None
IPsec Integrity GCMAES256, GCMAES192, GCMAES128, SHA256, SHA1, MD5
PFS Group PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None
QM SA Lifetime Seconds (integer; min. 300/default 27000 seconds)
KBytes (integer; min. 1024/default 102400000 KBytes)
Traffic Selector UsePolicyBasedTrafficSelectors ($True/$False; default $False)
Important
  1. DHGroup2048 & PFS2048 are the same as Diffie-Hellman Group 14 in IKE and IPsec PFS. Please see Diffie-Hellman Groups for the complete mappings.
  2. For GCMAES algorithms, you must specify the same GCMAES algorithm and key length for both IPsec Encryption and Integrity.
  3. IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways
  4. QM SA Lifetimes are optional parameters. If none was specified, default values of 27,000 seconds (7.5hrs) and 102400000 KBytes (102GB) are used.
  5. UsePolicyBasedTrafficSelector is an option parameter on the connection. Please see the next FAQ item for "UsePolicyBasedTrafficSelectors"

Does everything need to match between the Azure VPN gateway policy and my on-premises VPN device configurations?

Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy:

  • IKE encryption algorithm
  • IKE integrity algorithm
  • DH Group
  • IPsec encryption algorithm
  • IPsec integrity algorithm
  • PFS Group
  • Traffic Selector (*)

The SA lifetimes are local specifications only, do not need to match.

If you enable UsePolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:

  • 10.1.0.0/16 <====> 192.168.0.0/16
  • 10.1.0.0/16 <====> 172.16.0.0/16
  • 10.2.0.0/16 <====> 192.168.0.0/16
  • 10.2.0.0/16 <====> 172.16.0.0/16

Refer to Connect multiple on-premises policy-based VPN devices for more details on how to use this option.

Which Diffie-Hellman Groups are supported?

The table below lists the supported Diffie-Hellman Groups for IKE (DHGroup) and IPsec (PFSGroup):

Diffie-Hellman Group DHGroup PFSGroup Key length
1 DHGroup1 PFS1 768-bit MODP
2 DHGroup2 PFS2 1024-bit MODP
14 DHGroup14
DHGroup2048
PFS2048 2048-bit MODP
19 ECP256 ECP256 256-bit ECP
20 ECP384 ECP284 384-bit ECP
24 DHGroup24 PFS24 2048-bit MODP

Refer to RFC3526 and RFC5114 for more details.

Does the custom policy replace the default IPsec/IKE policy sets for Azure VPN gateways?

Yes, once a custom policy is specified on a connection, Azure VPN gateway will only use the policy on the connection, both as IKE initiator and IKE responder.

If I remove a custom IPsec/IKE policy, does the connection become unprotected?

No, the connection will still be protected by IPsec/IKE. Once you remove the custom policy from a connection, the Azure VPN gateway will revert back to the default list of IPsec/IKE proposals and re-start the IKE handshake again with your on-premises VPN device.

Would adding or updating an IPsec/IKE policy disrupt my VPN connection?

Yes, it could cause a small disruption (a few seconds) as the Azure VPN gateway will tear down the existing connection and re-start the IKE handshake to re-establish the IPsec tunnel with the new cryptographic algorithms and parameters. Please ensure your on-premises VPN device is also configured with the matching algorithms and key strengths to minimize the disruption.

Can I use different policies on different connections?

Yes. Custom policy is applied on a per-connection basis. You can create and apply different IPsec/IKE policies on different connections. You can also choose to apply custom policies on a subset of connections. The remaining ones will use the Azure default IPsec/IKE policy sets.

Can I use the custom policy on VNet-to-VNet connection as well?

Yes, you can apply custom policy on both IPsec cross-premises connections or VNet-to-VNet connections.

Do I need to specify the same policy on both VNet-to-VNet connection resources?

Yes. A VNet-to-VNet tunnel consists of two connection resources in Azure, one for each direction. You need to ensure both connection resources have the same policy, othereise the VNet-to-VNet connection will not establish.

Does custom IPsec/IKE policy work on ExpressRoute connection?

No. IPsec/IKE policy only works on S2S VPN and VNet-to-VNet connections via the Azure VPN gateways.

Next steps

See Configure IPsec/IKE policy for step-by-step instructions on configuring custom IPsec/IKE policy on a connection.

See also Connect multiple policy-based VPN devices to learn more about the UsePolicyBasedTrafficSelectors option.