About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections

A VPN device is required to configure a Site-to-Site (S2S) cross-premises VPN connection using a VPN gateway. Site-to-Site connections can be used to create a hybrid solution, or whenever you want secure connections between your on-premises networks and your virtual networks. This article provides the list of IPsec/IKE parameters for Azure VPN gateways, and a list of validated VPN devices connecting to Azure VPN gateways.

Important

If you are experiencing connectivity issues between your on-premises VPN devices and Azure VPN gateways, refer to Known device compatibility issues.

Items to note when viewing the tables:

  • There has been a terminology change for Azure VPN gateways. You'll likely run into both terms. There is no functionality change, only the names are changing.
    • Static Routing = PolicyBased
    • Dynamic Routing = RouteBased
  • Specifications for High Performance VPN gateway and RouteBased VPN gateway are the same unless otherwise noted. For example, the validated VPN devices that are compatible with RouteBased VPN gateways are also compatible with the Azure High Performance VPN gateway.
Note

When configuring a Site-to-Site connection, a public-facing IPv4 IP address is required for your VPN device.

Validated VPN devices

We have validated a set of standard VPN devices in partnership with device vendors. All the devices in the device families contained in the following list should work with Azure VPN gateways. See About VPN Gateway to verify the type of gateway that you need to create for the solution you want to configure.

To help configure your VPN device, refer to the links that correspond to appropriate device family. For VPN device support, contact your device manufacturer.

Vendor Device family Minimum OS version PolicyBased RouteBased
A10 Networks, Inc. Thunder CFW ACOS 4.1.1 Not Compatible Configuration guide
Allied Telesis AR Series VPN Routers 2.9.2 Coming soon Not compatible
Barracuda Networks, Inc. Barracuda NextGen Firewall F-series PolicyBased: 5.4.3
RouteBased: 6.2.0
Configuration guide Configuration guide
Barracuda Networks, Inc. Barracuda NextGen Firewall X-series Barracuda Firewall 6.5 Configuration guide Not compatible
Brocade Vyatta 5400 vRouter Virtual Router 6.6R3 GA Configuration guide Not compatible
Check Point Security Gateway R77.30 Configuration guide Configuration guide
Cisco ASA 8.3 Configuration samples Not compatible
Cisco ASR PolicyBased: IOS 15.1
RouteBased: IOS 15.2
Configuration samples Configuration samples
Cisco ISR PolicyBased: IOS 15.0
RouteBased*: IOS 15.1
Configuration samples Configuration samples*
Citrix NetScaler MPX, SDX, VPX 10.1 and above Configuration guide Not compatible
Dell SonicWALL TZ Series, NSA Series
SuperMassive Series
E-Class NSA Series
SonicOS 5.8.x
SonicOS 5.9.x
SonicOS 6.x
Configuration guide for SonicOS 6.2
Configuration guide for SonicOS 5.9
Configuration guide for SonicOS 6.2
Configuration guide for SonicOS 5.9
F5 BIG-IP series 12.0 Configuration guide Configuration guide
Fortinet FortiGate FortiOS 5.4.2 Configuration guide Configuration guide
Internet Initiative Japan (IIJ) SEIL Series SEIL/X 4.60
SEIL/B1 4.60
SEIL/x86 3.20
Configuration guide Not compatible
Juniper SRX PolicyBased: JunOS 10.2
Routebased: JunOS 11.4
Configuration samples Configuration samples
Juniper J-Series PolicyBased: JunOS 10.4r9
RouteBased: JunOS 11.4
Configuration samples Configuration samples
Juniper ISG ScreenOS 6.3 Configuration samples Configuration samples
Juniper SSG ScreenOS 6.2 Configuration samples Configuration samples
Microsoft Routing and Remote Access Service Windows Server 2012 Not compatible Configuration samples
Open Systems AG Mission Control Security Gateway N/A Configuration guide Configuration guide
Openswan Openswan 2.6.32 (Coming soon) Not compatible
Palo Alto Networks All devices running PAN-OS PAN-OS
PolicyBased: 6.1.5 or later
RouteBased: 7.1.4
Configuration guide Configuration guide
WatchGuard All Fireware XTM
PolicyBased: v11.11.x
RouteBased: v11.12.x
Configuration guide Configuration guide

(*) ISR 7200 Series routers only support PolicyBased VPNs.

Non-validated VPN devices

If you don’t see your device listed in the Validated VPN devices table, your device still may work with a Site-to-Site connection. Contact your device manufacturer for additional support and configuration instructions.

Editing device configuration samples

After you download the provided VPN device configuration sample, you’ll need to replace some of the values to reflect the settings for your environment.

To edit a sample:

  1. Open the sample using Notepad.
  2. Search and replace all <text> strings with the values that pertain to your environment. Be sure to include < and >. When a name is specified, the name you select should be unique. If a command does not work, consult your device manufacturer documentation.
Sample text Change to
<RP_OnPremisesNetwork> Your chosen name for this object. Example: myOnPremisesNetwork
<RP_AzureNetwork> Your chosen name for this object. Example: myAzureNetwork
<RP_AccessList> Your chosen name for this object. Example: myAzureAccessList
<RP_IPSecTransformSet> Your chosen name for this object. Example: myIPSecTransformSet
<RP_IPSecCryptoMap> Your chosen name for this object. Example: myIPSecCryptoMap
<SP_AzureNetworkIpRange> Specify range. Example: 192.168.0.0
<SP_AzureNetworkSubnetMask> Specify subnet mask. Example: 255.255.0.0
<SP_OnPremisesNetworkIpRange> Specify on-premises range. Example: 10.2.1.0
<SP_OnPremisesNetworkSubnetMask> Specify on-premises subnet mask. Example: 255.255.255.0
<SP_AzureGatewayIpAddress> This information specific to your virtual network and is located in the Management Portal as Gateway IP address.
<SP_PresharedKey> This information is specific to your virtual network and is located in the Management Portal as Manage Key.

IPsec/IKE parameters

Note

Although the values listed in the following table are supported by the Azure VPN Gateway, currently there is no mechanism for you to specify or select a specific combination of algorithms or parameters from the Azure VPN Gateway. You must specify any constraints from the on-premises VPN device.

In addition, you must clamp MSS at 1350.

In the tables below:

  • SA = Security Association
  • IKE Phase 1 is also called "Main Mode"
  • IKE Phase 2 is also called "Quick Mode"

IKE Phase 1 (Main Mode) parameters

Property PolicyBased RouteBased
IKE Version IKEv1 IKEv2
Diffie-Hellman Group Group 2 (1024 bit) Group 2 (1024 bit)
Authentication Method Pre-Shared Key Pre-Shared Key
Encryption & Hashing Algorithms 1. AES256, SHA256
2. AES256, SHA1
3. AES128, SHA1
4. 3DES, SHA1
1. AES256, SHA1
2. AES256, SHA256
3. AES128, SHA1
4. AES128, SHA256
5. 3DES, SHA1
6. 3DES, SHA256
SA Lifetime 28,800 seconds 28,800 seconds

IKE Phase 2 (Quick Mode) parameters

Property PolicyBased RouteBased
IKE Version IKEv1 IKEv2
Encryption & Hashing Algorithms 1. AES256, SHA256
2. AES256, SHA1
3. AES128, SHA1
4. 3DES, SHA1
RouteBased QM SA Offers
SA Lifetime (Time) 3,600 seconds 27,000 seconds
SA Lifetime (Bytes) 102,400,000 KB -
Perfect Forward Secrecy (PFS) No RouteBased QM SA Offers
Dead Peer Detection (DPD) Not supported Supported

RouteBased VPN IPsec Security Association (IKE Quick Mode SA) Offers

The following table lists IPsec SA (IKE Quick Mode) Offers. Offers are listed the order of preference that the offer is presented or accepted.

Azure Gateway as initiator

- Encryption Authentication PFS Group
1 GCM AES256 GCM (AES256) None
2 AES256 SHA1 None
3 3DES SHA1 None
4 AES256 SHA256 None
5 AES128 SHA1 None
6 3DES SHA256 None

Azure Gateway as responder

- Encryption Authentication PFS Group
1 GCM AES256 GCM (AES256) None
2 AES256 SHA1 None
3 3DES SHA1 None
4 AES256 SHA256 None
5 AES128 SHA1 None
6 3DES SHA256 None
7 DES SHA1 None
8 AES256 SHA1 1
9 AES256 SHA1 2
10 AES256 SHA1 14
11 AES128 SHA1 1
12 AES128 SHA1 2
13 AES128 SHA1 14
14 3DES SHA1 1
15 3DES SHA1 2
16 3DES SHA256 2
17 AES256 SHA256 1
18 AES256 SHA256 2
19 AES256 SHA256 14
20 AES256 SHA1 24
21 AES256 SHA256 24
22 AES128 SHA256 None
23 AES128 SHA256 1
24 AES128 SHA256 2
25 AES128 SHA256 14
26 3DES SHA1 14
  • You can specify IPsec ESP NULL encryption with RouteBased and High Performance VPN gateways. Null based encryption does not provide protection to data in transit, and should only be used when maximum throughput and minimum latency is required. Clients may choose to use this in VNet-to-VNet communication scenarios, or when encryption is being applied elsewhere in the solution.
  • For cross-premises connectivity through the Internet, use the default Azure VPN gateway settings with encryption and hashing algorithms listed in the tables above to ensure security of your critical communication.

Known device compatibility issues

Important

These are the known compatibility issues between third-party VPN devices and Azure VPN gateways. The Azure team is actively working with the vendors to address the issues listed here. Once the issues are resolved, this page will be updated with the most up-to-date information. Please check back periodically.

Feb. 16, 2017

Palo Alto Networks devices with version prior to 7.1.4 for Azure route-based VPN: If you are using VPN devices from Palo Alto Networks with PAN-OS version prior to 7.1.4 and are experiencing connectivity issues to Azure route-based VPN gateways, perform the following steps:

  1. Check the firmware version of your Palo Alto Networks device. If your PAN-OS version is older than 7.1.4, upgrade to 7.1.4.
  2. On the Palo Alto Networks device, change the Phase 2 SA (or Quick Mode SA) lifetime to 28,800 seconds (8 hours) when connecting to the Azure VPN gateway.
  3. If you are still experiencing connectivity issues, open a support request from the Azure Portal.