您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

用于 IPsec 连接的虚拟 WAN 默认策略Virtual WAN default policies for IPsec connectivity

本文介绍支持的 IPsec 策略组合。This article shows the supported IPsec policy combinations.

默认的 IPsec 策略Default IPsec policies

备注

使用默认策略时,Azure 可以在安装 IPsec 隧道期间充当发起方和响应方。When working with Default policies, Azure can act as both initiator and responder during an IPsec tunnel setup. 不支持仅将 Azure 作为响应方。There is no support for Azure as a responder only.

发起程序Initiator

以下部分列出了 Azure 作为隧道发起程序时支持的策略组合。The following sections list the supported policy combinations when Azure is the initiator for the tunnel.

阶段 1Phase-1

  • AES_256, SHA1, DH_GROUP_2AES_256, SHA1, DH_GROUP_2
  • AES_256, SHA_256, DH_GROUP_2AES_256, SHA_256, DH_GROUP_2
  • AES_128, SHA1, DH_GROUP_2AES_128, SHA1, DH_GROUP_2
  • AES_128, SHA_256, DH_GROUP_2AES_128, SHA_256, DH_GROUP_2

阶段 2Phase-2

  • GCM_AES_256, GCM_AES_256, PFS_NONEGCM_AES_256, GCM_AES_256, PFS_NONE
  • AES_256, SHA_1, PFS_NONEAES_256, SHA_1, PFS_NONE
  • AES_256, SHA_256, PFS_NONEAES_256, SHA_256, PFS_NONE
  • AES_128, SHA_1, PFS_NONEAES_128, SHA_1, PFS_NONE

响应方Responder

以下部分列出了 Azure 作为隧道响应方时支持的策略组合。The following sections list the supported policy combinations when Azure is the responder for the tunnel.

阶段 1Phase-1

  • AES_256, SHA1, DH_GROUP_2AES_256, SHA1, DH_GROUP_2
  • AES_256, SHA_256, DH_GROUP_2AES_256, SHA_256, DH_GROUP_2
  • AES_128, SHA1, DH_GROUP_2AES_128, SHA1, DH_GROUP_2
  • AES_128, SHA_256, DH_GROUP_2AES_128, SHA_256, DH_GROUP_2

阶段 2Phase-2

  • GCM_AES_256, GCM_AES_256, PFS_NONEGCM_AES_256, GCM_AES_256, PFS_NONE
  • AES_256, SHA_1, PFS_NONEAES_256, SHA_1, PFS_NONE
  • AES_256, SHA_256, PFS_NONEAES_256, SHA_256, PFS_NONE
  • AES_128, SHA_1, PFS_NONEAES_128, SHA_1, PFS_NONE
  • AES_256, SHA_1, PFS_1AES_256, SHA_1, PFS_1
  • AES_256, SHA_1, PFS_2AES_256, SHA_1, PFS_2
  • AES_256, SHA_1, PFS_14AES_256, SHA_1, PFS_14
  • AES_128, SHA_1, PFS_1AES_128, SHA_1, PFS_1
  • AES_128, SHA_1, PFS_2AES_128, SHA_1, PFS_2
  • AES_128, SHA_1, PFS_14AES_128, SHA_1, PFS_14
  • AES_256, SHA_256, PFS_1AES_256, SHA_256, PFS_1
  • AES_256, SHA_256, PFS_2AES_256, SHA_256, PFS_2
  • AES_256, SHA_256, PFS_14AES_256, SHA_256, PFS_14
  • AES_256, SHA_1, PFS_24AES_256, SHA_1, PFS_24
  • AES_256, SHA_256, PFS_24AES_256, SHA_256, PFS_24
  • AES_128, SHA_256, PFS_NONEAES_128, SHA_256, PFS_NONE
  • AES_128, SHA_256, PFS_1AES_128, SHA_256, PFS_1
  • AES_128, SHA_256, PFS_2AES_128, SHA_256, PFS_2
  • AES_128, SHA_256, PFS_14AES_128, SHA_256, PFS_14

自定义 IPsec 策略Custom IPsec policies

使用自定义 IPsec 策略时,请记住以下要求:When working with custom IPsec policies, keep in mind the following requirements:

  • Ike -对于 ike,你可以从 ike 加密中选择任何参数,并从 ike 完整性中选择任何参数,以及从 DH 组中选择任何参数。IKE - For IKE, you can select any parameter from IKE Encryption, plus any parameter from IKE Integrity, plus any parameter from DH Group.
  • Ipsec -对于 ipsec,可以从 ipsec 加密中选择任何参数,并从 ipsec 完整性和 PFS 中选择任何参数。IPsec - For IPsec, you can select any parameter from IPsec Encryption, plus any parameter from IPsec Integrity, plus PFS. 如果 IPsec 加密或 IPsec 完整性的任何参数都是 GCM,则这两个设置的参数必须是 GCM。If any of the parameters for IPsec Encryption or IPsec Integrity is GCM, then the parameters for both settings must be GCM.

备注

对于自定义 IPsec 策略,不存在响应方和发起方的概念(与默认 IPsec 策略不同)。With Custom IPsec policies, there is no concept of responder and initiator (unlike Default IPsec policies). 两侧(本地和 Azure VPN 网关)将为 IKE 阶段1和 IKE 阶段2使用相同的设置。Both sides (on-premises and Azure VPN gateway) will use the same settings for IKE Phase 1 and IKE Phase 2. 支持 IKEv1 和 IKEv2 协议。Both IKEv1 and IKEv2 protocols are supported. 不支持仅将 Azure 作为响应方。There is no support for Azure as a responder only.

可用的设置和参数Available settings and parameters

设置Setting ParametersParameters
IKE 加密IKE Encryption AES256、AES192、AES128AES256, AES192, AES128
IKE 完整性IKE Integrity SHA384、SHA256、SHA1SHA384, SHA256, SHA1
DH 组DH Group DHGroup24、ECP384、ECP256、DHGroup14、DHGroup2048、DHGroup2DHGroup24, ECP384, ECP256, DHGroup14, DHGroup2048, DHGroup2
IPsec 加密IPsec Encryption GCMAES256、GCMAES192、GCMAES128、AES256、AES192、AES128GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128
IPsec 完整性IPsec Integrity GCMASE256、GCMAES192、GCMAES128、SHA256、SHA1GCMASE256, GCMAES192, GCMAES128, SHA256, SHA1
PFS 组PFS Group PFS24、ECP384、ECP256、PFS2048、PFS2PFS24, ECP384, ECP256, PFS2048, PFS2

后续步骤Next steps

有关配置自定义 IPsec 策略的步骤,请参阅为虚拟 WAN 配置自定义 ipsec 策略For steps to configure a custom IPsec policy, see Configure a custom IPsec policy for Virtual WAN. 有关虚拟 WAN 的详细信息,请参阅关于 Azure 虚拟 WANAzure 虚拟 WAN 常见问题解答For more information about Virtual WAN, see About Azure Virtual WAN and the Azure Virtual WAN FAQ.