About VPN devices for Site-to-Site VPN Gateway connections

A VPN device is required to configure a Site-to-Site (S2S) cross-premises VPN connection using a VPN gateway. Site-to-Site connections can be used to create a hybrid solution, or whenever you want a secure connection between your on-premises network and your virtual network. This article discusses compatible VPN devices and configuration parameters.

Note

When configuring a Site-to-Site connection, a public-facing IPv4 IP address is required for your VPN device.

If your device doesn't appear in the Validated VPN devices table, see the Non-validated VPN devices section of this article. It's possible that your device may still work with Azure. For VPN device support, please contact your device manufacturer.

Items to note when viewing the tables:

  • There has been a terminology change for static and dynamic routing. You'll likely run into both terms. There is no functionality change, only the names are changing.
    • Static Routing = PolicyBased
    • Dynamic Routing = RouteBased
  • Specifications for High Performance VPN gateway and RouteBased VPN gateway are the same unless otherwise noted. For example, the validated VPN devices that are compatible with RouteBased VPN gateways are also compatible with the Azure High Performance VPN gateway.

Validated VPN devices

We have validated a set of standard VPN devices in partnership with device vendors. All the devices in the device families contained in the following list should work with Azure VPN gateways. See About VPN Gateway to verify the type of gateway that you need to create for the solution you want to configure.

To help configure your VPN device, refer to the links that correspond to appropriate device family. For VPN device support, please contact your device manufacturer.

Vendor Device family Minimum OS version PolicyBased RouteBased
Allied Telesis AR Series VPN Routers 2.9.2 Coming soon Not compatible
Barracuda Networks, Inc. Barracuda NextGen Firewall F-series PolicyBased: 5.4.3
RouteBased: 6.2.0
Configuration instructions Configuration instructions
Barracuda Networks, Inc. Barracuda NextGen Firewall X-series Barracuda Firewall 6.5 Barracuda Firewall Not compatible
Brocade Vyatta 5400 vRouter Virtual Router 6.6R3 GA Configuration instructions Not compatible
Check Point Security Gateway R75.40
R75.40VS
Configuration instructions Configuration instructions
Cisco ASA 8.3 Cisco samples Not compatible
Cisco ASR PolicyBased: IOS 15.1
RouteBased: IOS 15.2
Cisco samples Cisco samples
Cisco ISR PolicyBased: IOS 15.0
RouteBased*: IOS 15.1
Cisco samples Cisco samples*
Citrix NetScaler MPX, SDX, VPX 10.1 and above Integration instructions Not compatible
Dell SonicWALL TZ Series, NSA Series
SuperMassive Series
E-Class NSA Series
SonicOS 5.8.x
SonicOS 5.9.x
SonicOS 6.x
Configuration guide for SonicOS 6.2
Configuration guide for SonicOS 5.9
Configuration guide for SonicOS 6.2
Configuration guide for SonicOS 5.9
F5 BIG-IP series 12.0 Configuration instructions Configuration instructions
Fortinet FortiGate FortiOS 5.4.x Configuration instructions Configuration instructions
Internet Initiative Japan (IIJ) SEIL Series SEIL/X 4.60
SEIL/B1 4.60
SEIL/x86 3.20
Configuration instructions Not compatible
Juniper SRX PolicyBased: JunOS 10.2
Routebased: JunOS 11.4
Juniper samples Juniper samples
Juniper J-Series PolicyBased: JunOS 10.4r9
RouteBased: JunOS 11.4
Juniper samples Juniper samples
Juniper ISG ScreenOS 6.3 Juniper samples Juniper samples
Juniper SSG ScreenOS 6.2 Juniper samples Juniper samples
Microsoft Routing and Remote Access Service Windows Server 2012 Not compatible Microsoft samples
Open Systems AG Mission Control Security Gateway N/A Installation guide Installation guide
Openswan Openswan 2.6.32 (Coming soon) Not compatible
Palo Alto Networks All devices running PAN-OS PAN-OS
PolicyBased: 6.1.5 or later
RouteBased: 7.0.5 or later
Configuration instructions Configuration instructions
WatchGuard All Fireware XTM
PolicyBased: v11.11.x
RouteBased: v11.12.x
Configuration instructions Configuration instructions

(*) ISR 7200 Series routers only support PolicyBased VPNs.

Non-validated VPN devices

If you don’t see your device listed in the Validated VPN devices table, it still may work with a Site-to-Site connection. Verify that your VPN device meets the minimum requirements outlined in the Gateway Requirements section of the About VPN Gateway article. Devices meeting the minimum requirements should also work well with VPN gateways. Contact your device manufacturer for additional support and configuration instructions.

Editing device configuration samples

After you download the provided VPN device configuration sample, you’ll need to replace some of the values to reflect the settings for your environment.

To edit a sample:

  1. Open the sample using Notepad.
  2. Search and replace all <text> strings with the values that pertain to your environment. Be sure to include < and >. When a name is specified, the name you select should be unique. If a command does not work, consult your device manufacturer documentation.
Sample text Change to
<RP_OnPremisesNetwork> Your chosen name for this object. Example: myOnPremisesNetwork
<RP_AzureNetwork> Your chosen name for this object. Example: myAzureNetwork
<RP_AccessList> Your chosen name for this object. Example: myAzureAccessList
<RP_IPSecTransformSet> Your chosen name for this object. Example: myIPSecTransformSet
<RP_IPSecCryptoMap> Your chosen name for this object. Example: myIPSecCryptoMap
<SP_AzureNetworkIpRange> Specify range. Example: 192.168.0.0
<SP_AzureNetworkSubnetMask> Specify subnet mask. Example: 255.255.0.0
<SP_OnPremisesNetworkIpRange> Specify on-premises range. Example: 10.2.1.0
<SP_OnPremisesNetworkSubnetMask> Specify on-premises subnet mask. Example: 255.255.255.0
<SP_AzureGatewayIpAddress> This information specific to your virtual network and is located in the Management Portal as Gateway IP address.
<SP_PresharedKey> This information is specific to your virtual network and is located in the Management Portal as Manage Key.

IPsec Parameters

Note

Although the values listed in the following table are supported by the Azure VPN Gateway, currently there is no way for you to specify or select a specific combination from the Azure VPN Gateway. You must specify any constraints from the on-premises VPN device. In addition, you must clamp MSS at 1350.

IKE Phase 1 setup

Property PolicyBased RouteBased and Standard or High Performance VPN gateway
IKE Version IKEv1 IKEv2
Diffie-Hellman Group Group 2 (1024 bit) Group 2 (1024 bit)
Authentication Method Pre-Shared Key Pre-Shared Key
Encryption Algorithms AES256 AES128 3DES AES256 3DES
Hashing Algorithm SHA1(SHA128) SHA1(SHA128), SHA2(SHA256)
Phase 1 Security Association (SA) Lifetime (Time) 28,800 seconds 10,800 seconds

IKE Phase 2 setup

Property PolicyBased RouteBased and Standard or High Performance VPN gateway
IKE Version IKEv1 IKEv2
Hashing Algorithm SHA1(SHA128), SHA2(SHA256) SHA1(SHA128), SHA2(SHA256)
Phase 2 Security Association (SA) Lifetime (Time) 3,600 seconds 3,600 seconds
Phase 2 Security Association (SA) Lifetime (Throughput) 102,400,000 KB -
IPsec SA Encryption & Authentication Offers (in the order of preference) 1. ESP-AES256 2. ESP-AES128 3. ESP-3DES 4. N/A See RouteBased Gateway IPsec Security Association (SA) Offers (below)
Perfect Forward Secrecy (PFS) No No (*)
Dead Peer Detection Not supported Supported

(*) Azure Gateway as IKE responder can accept PFS DH Group 1, 2, 5, 14, 24.

RouteBased Gateway IPsec Security Association (SA) Offers

The following table lists IPsec SA Encryption and Authentication Offers. Offers are listed the order of preference that the offer is presented or accepted.

IPsec SA Encryption and Authentication Offers Azure Gateway as initiator Azure Gateway as responder
1 ESP AES_256 SHA ESP AES_128 SHA
2 ESP AES_128 SHA ESP 3_DES MD5
3 ESP 3_DES MD5 ESP 3_DES SHA
4 ESP 3_DES SHA AH SHA1 with ESP AES_128 with null HMAC
5 AH SHA1 with ESP AES_256 with null HMAC AH SHA1 with ESP 3_DES with null HMAC
6 AH SHA1 with ESP AES_128 with null HMAC AH MD5 with ESP 3_DES with null HMAC, no lifetimes proposed
7 AH SHA1 with ESP 3_DES with null HMAC AH SHA1 with ESP 3_DES SHA1, no lifetimes
8 AH MD5 with ESP 3_DES with null HMAC, no lifetimes proposed AH MD5 with ESP 3_DES MD5, no lifetimes
9 AH SHA1 with ESP 3_DES SHA1, no lifetimes ESP DES MD5
10 AH MD5 with ESP 3_DES MD5, no lifetimes ESP DES SHA1, no lifetimes
11 ESP DES MD5 AH SHA1 with ESP DES null HMAC, no lifetimes proposed
12 ESP DES SHA1, no lifetimes AH MD5 with ESP DES null HMAC, no lifetimes proposed
13 AH SHA1 with ESP DES null HMAC, no lifetimes proposed AH SHA1 with ESP DES SHA1, no lifetimes
14 AH MD5 with ESP DES null HMAC, no lifetimes proposed AH MD5 with ESP DES MD5, no lifetimes
15 AH SHA1 with ESP DES SHA1, no lifetimes ESP SHA, no lifetimes
16 AH MD5 with ESP DES MD5, no lifetimes ESP MD5, no lifetimes
17 - AH SHA, no lifetimes
18 - AH MD5, no lifetimes
  • You can specify IPsec ESP NULL encryption with RouteBased and High Performance VPN gateways. Null based encryption does not provide protection to data in transit, and should only be used when maximum throughput and minimum latency is required. Clients may choose to use this in VNet-to-VNet communication scenarios, or when encryption is being applied elsewhere in the solution.
  • For cross-premises connectivity through the Internet, use the default Azure VPN gateway settings with encryption and hashing algorithms listed in the tables above to ensure security of your critical communication.