您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

关于点到站点 VPNAbout Point-to-Site VPN

点到站点 (P2S) VPN 网关连接用于创建从单个客户端计算机到虚拟网络的安全连接。A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. 可通过从客户端计算机启动连接来建立 P2S 连接。A P2S connection is established by starting it from the client computer. 对于要从远程位置(例如从家里或会议室)连接到 Azure VNet 的远程工作者,此解决方案很有用。This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. 如果只有一些客户端需要连接到 VNet,则还可以使用 P2S VPN 这一解决方案来代替 S2S VPN。P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet. 本文适用于 Resource Manager 部署模型。This article applies to the Resource Manager deployment model.

P2S 使用哪种协议?What protocol does P2S use?

点到站点 VPN 可使用以下协议之一:Point-to-site VPN can use one of the following protocols:

  • OpenVPN® 协议,SSL/TLS 基于 VPN 协议。OpenVPN® Protocol, an SSL/TLS based VPN protocol. SSL VPN 解决方案可以穿透防火墙,因为大多数防火墙打开 TCP 端口 443 出站,SSL 使用。An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. OpenVPN 可以用于 Android、 iOS 从连接 (版本 11.0 和更高版本),Windows、 Linux 和 Mac 设备 (OSX 版本 10.13 及更高版本)。OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (OSX versions 10.13 and above).

  • 安全套接字隧道协议 (SSTP),这是一种基于 SSL 的专属协议。Secure Socket Tunneling Protocol (SSTP), a proprietary SSL-based VPN protocol. SSL VPN 解决方案可以穿透防火墙,因为大多数防火墙打开 TCP 端口 443 出站,SSL 使用。An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. 只有 Windows 设备支持 SSTP。SSTP is only supported on Windows devices. Azure 支持所有采用 SSTP 的 Windows 版本(Windows 7 和更高版本)。Azure supports all versions of Windows that have SSTP (Windows 7 and later).

  • IKEv2 VPN,这是一种基于标准的 IPsec VPN 解决方案。IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN 可用于从 Mac 设备进行连接(OSX 10.11 和更高版本)。IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).

备注

P2S 的 IKEv2 和 OpenVPN 仅可用于资源管理器部署模型。IKEv2 and OpenVPN for P2S are available for the Resource Manager deployment model only. 它们不可用于经典部署模型。They are not available for the classic deployment model.

如何对 P2S VPN 客户端进行身份验证?How are P2S VPN clients authenticated?

在 Azure 接受 P2S VPN 连接之前,必须先对用户进行身份验证。Before Azure accepts a P2S VPN connection, the user has to be authenticated first. Azure 提供两种机制用于对连接方用户进行身份验证。There are two mechanisms that Azure offers to authenticate a connecting user.

使用本机 Azure 证书身份验证进行身份验证Authenticate using native Azure certificate authentication

使用本机 Azure 证书身份验证时,设备上的客户端证书用于对连接方用户进行身份验证。When using the native Azure certificate authentication, a client certificate that is present on the device is used to authenticate the connecting user. 客户端证书从受信任的根证书生成,并安装在每台客户端计算机上。Client certificates are generated from a trusted root certificate and then installed on each client computer. 可以使用通过企业解决方案生成的根证书,也可以生成自签名证书。You can use a root certificate that was generated using an Enterprise solution, or you can generate a self-signed certificate.

客户端证书的验证由 VPN 网关执行,在建立 P2S VPN 连接期间发生。The validation of the client certificate is performed by the VPN gateway and happens during establishment of the P2S VPN connection. 验证时需要使用根证书,必须将该证书上传到 Azure。The root certificate is required for the validation and must be uploaded to Azure.

使用 Active Directory (AD) 域服务器进行身份验证Authenticate using Active Directory (AD) Domain Server

AD 域身份验证可让用户使用其组织域凭据连接到 Azure。AD Domain authentication allows users to connect to Azure using their organization domain credentials. 它需要一台与 AD 服务器集成的 RADIUS 服务器。It requires a RADIUS server that integrates with the AD server. 组织也可以利用其现有的 RADIUS 部署。   Organizations can also leverage their existing RADIUS deployment.       可将 RADIUS 服务器部署在本地或 Azure VNET 中。The RADIUS server could be deployed on-premises or in your Azure VNET. 在身份验证期间,Azure VPN 网关充当传递设备,在 RADIUS 服务器与连接方设备之间来回转发身份验证消息。During authentication, the Azure VPN Gateway acts as a pass through and forwards authentication messages back and forth between the RADIUS server and the connecting device. 因此,RADIUS 服务器必须能够访问网关。So Gateway reachability to the RADIUS server is important. 如果 RADIUS 服务器位于本地,需要建立从 Azure 到本地站点的 VPN S2S 连接,才能实现这种访问。  If the RADIUS server is present on-premises, then a VPN S2S connection from Azure to the on-premises site is required for reachability.      RADIUS 服务器还能与 AD 证书服务集成。The RADIUS server can also integrate with AD certificate services. 这样,便可以使用 RADIUS 服务器以及用于 P2S 证书身份验证的企业证书部署,作为 Azure 证书身份验证的替代方法。This lets you use the RADIUS server and your enterprise certificate deployment for P2S certificate authentication as an alternative to the Azure certificate authentication. 此方法的优点是不需要将根证书和吊销的证书上传到 Azure。The advantage is that you don’t need to upload root certificates and revoked certificates to Azure.

RADIUS 服务器还能与其他外部标识系统集成。A RADIUS server can also integrate with other external identity systems. 这样就为 P2S VPN 提供了大量的身份验证选项,包括多重身份验证选项。This opens up plenty of authentication options for P2S VPN, including multi-factor options.

备注

OpenVPN® 协议不支持 RADIUS 身份验证。OpenVPN® Protocol is not supported with RADIUS authentication.

点到站点point-to-site

客户端配置要求是什么?What are the client configuration requirements?

备注

对于 Windows 客户端,你必须具有客户端设备上的管理员权限,才能发起从客户端设备到 Azure 的 VPN 连接。For Windows clients, you must have administrator rights on the client device in order to initiate the VPN connection from the client device to Azure.

用户使用 Windows 和 Mac 设备上的本机 VPN 客户端建立 P2S 连接。Users use the native VPN clients on Windows and Mac devices for P2S. Azure 提供一个 VPN 客户端配置 zip 文件,其中包含这些本机客户端连接到 Azure 时所需的设置。Azure provides a VPN client configuration zip file that contains settings required by these native clients to connect to Azure.

  • 对于 Windows 设备,VPN 客户端配置包括用户在其设备上安装的安装程序包。For Windows devices, the VPN client configuration consists of an installer package that users install on their devices.
  • 对于 Mac 设备,该配置包括用户在其设备上安装的 mobileconfig 文件。For Mac devices, it consists of the mobileconfig file that users install on their devices.

该 zip 文件还提供 Azure 端上的一些重要设置的值,使用这些设置可为这些设备创建你自己的配置文件。The zip file also provides the values of some of the important settings on the Azure side that you can use to create your own profile for these devices. 其中一些值包括 VPN 网关地址、配置的隧道类型、路由,以及用于网关验证的根证书。Some of the values include the VPN gateway address, configured tunnel types, routes, and the root certificate for gateway validation.

备注

从 2018 年 7 月 1 日开始,Azure VPN 网关将不再支持 TLS 1.0 和 1.1。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 网关将仅支持 TLS 1.2。VPN Gateway will support only TLS 1.2. 仅点到站点连接会受到影响;站点到站点连接不受影响。Only point-to-site connections are impacted; site-to-site connections will not be affected. 如果在 Windows 10 客户端上点到站点 VPN 使用的是 TLS,则无需进行任何操作。If you’re using TLS for point-to-site VPNs on Windows 10 clients, you don’t need to take any action. 如果在 Windows 7 和 Windows 8 客户端上使用 TLS 建立点到站点连接,请参阅 VPN 网关常见问题解答,了解更新说明。If you are using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.

哪些网关 SKU 支持 P2S VPN?Which gateway SKUs support P2S VPN?

VPN
网关
代系
VPN
Gateway
Generation
SKUSKU S2S/VNet 到 VNet
隧道
S2S/VNet-to-VNet
Tunnels
P2S
SSTP 连接
P2S
SSTP Connections
P2S
IKEv2/OpenVPN 连接
P2S
IKEv2/OpenVPN Connections
聚合
吞吐量基准
Aggregate
Throughput Benchmark
BGPBGP 区域冗余Zone-redundant
第 1 代Generation1 基本Basic 最大Max. 1010 最大Max. 128128 不支持Not Supported 100 Mbps100 Mbps 不支持Not Supported No
第 1 代Generation1 VpnGw1 VpnGw1 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支持Supported No
第 1 代Generation1 VpnGw2 VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支持Supported No
第 1 代Generation1 VpnGw3 VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支持Supported No
第 1 代Generation1 VpnGw1AZVpnGw1AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支持Supported Yes
第 1 代Generation1 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支持Supported Yes
第 1 代Generation1 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw2 VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支持Supported No
第 2 代Generation2 VpnGw3 VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支持Supported No
第 2 代Generation2 VpnGw4VpnGw4 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支持Supported No
第 2 代Generation2 VpnGw5VpnGw5 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支持Supported No
第 2 代Generation2 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw4AZVpnGw4AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw5AZVpnGw5AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支持Supported Yes

(*) 如果需要 30 个以上 S2S VPN 隧道,请使用虚拟 WAN(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • 在同一代中允许调整 VpnGw SKU 的大小,但基本 SKU 的大小调整除外。The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. 基本 SKU 是旧版 SKU,并且具有功能限制。The Basic SKU is a legacy SKU and has feature limitations. 若要从基本 VpnGw SKU 移到其他 VpnGw SKU,必须删除基本 SKU VPN 网关,并使用所需代系和 SKU 大小组合来创建新网关。In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

  • 这些连接限制是独立的。These connection limits are separate. 例如,在 VpnGw1 SKU 上可以有 128 个 SSTP 连接,还可以有 250 个 IKEv2 连接。For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • 可在 定价 页上找到定价信息。Pricing information can be found on the Pricing page.

  • 可在 SLA 页查看 SLA(服务级别协议)信息。SLA (Service Level Agreement) information can be found on the SLA page.

  • 在单个隧道中,最多可以达到 1 Gbps 的吞吐量。On a single tunnel a maximum of 1 Gbps throughput can be achieved. 上表中的聚合吞吐量基准基于对通过单个网关聚合的多个隧道的测量。Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. 适用于 VPN 网关的聚合吞吐量基准组合了 S2S 和 P2S。The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. 如果有大量的 P2S 连接,则可能会对 S2S 连接造成负面影响,因为存在吞吐量限制。If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. 受 Internet 流量情况和应用程序行为影响,无法保证聚合吞吐量基准。The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

为了帮助我们的客户了解使用不同算法的 SKU 的相对性能,我们使用市售 iPerf 和 CTSTraffic 工具来衡量性能。To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. 下表列出了第 1 代 VpnGw SKU 的性能测试结果。The table below lists the results of performance tests for Generation 1, VpnGw SKUs. 可以看到,对 IPsec 加密和完整性使用 GCMAES256 算法时,可获得最佳性能。As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. 对 IPsec 加密使用 AES256 以及对完整性使用 SHA256 时,可获得平均性能。We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. 对 IPsec 加密使用 DES3 以及对完整性使用 SHA256 可获得最低性能。When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

代系Generation SKUSKU 使用
的算法
Algorithms
used
观察到的
吞吐量
Throughput
observed
观察到的
每秒数据包数
Packets per second
observed
第 1 代Generation1 VpnGw1 VpnGw1 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2 VpnGw2 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3 VpnGw3 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000
第 1 代Generation1 VpnGw1AZVpnGw1AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2AZVpnGw2AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3AZVpnGw3AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000

备注

基本 SKU 不支持 IKEv2 或 RADIUS 身份验证。The Basic SKU does not support IKEv2 or RADIUS authentication.

IKE/IPsec 策略对 P2S VPN 网关上配置?What IKE/IPsec policies are configured on VPN gateways for P2S?

IKEv2IKEv2

CipherCipher 完整性Integrity PRFPRF DH 组DH Group
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA384SHA384 GROUP_24GROUP_24
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA384SHA384 GROUP_14GROUP_14
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA384SHA384 GROUP_ECP384GROUP_ECP384
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA384SHA384 GROUP_ECP256GROUP_ECP256
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA256SHA256 GROUP_24GROUP_24
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA256SHA256 GROUP_14GROUP_14
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA256SHA256 GROUP_ECP384GROUP_ECP384
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA256SHA256 GROUP_ECP256GROUP_ECP256
AES256AES256 SHA384SHA384 SHA384SHA384 GROUP_24GROUP_24
AES256AES256 SHA384SHA384 SHA384SHA384 GROUP_14GROUP_14
AES256AES256 SHA384SHA384 SHA384SHA384 GROUP_ECP384GROUP_ECP384
AES256AES256 SHA384SHA384 SHA384SHA384 GROUP_ECP256GROUP_ECP256
AES256AES256 SHA256SHA256 SHA256SHA256 GROUP_24GROUP_24
AES256AES256 SHA256SHA256 SHA256SHA256 GROUP_14GROUP_14
AES256AES256 SHA256SHA256 SHA256SHA256 GROUP_ECP384GROUP_ECP384
AES256AES256 SHA256SHA256 SHA256SHA256 GROUP_ECP256GROUP_ECP256
AES256AES256 SHA256SHA256 SHA256SHA256 GROUP_2GROUP_2

IPsecIPsec

CipherCipher 完整性Integrity PFS 组PFS Group
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 GROUP_NONEGROUP_NONE
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 GROUP_24GROUP_24
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 GROUP_14GROUP_14
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 GROUP_ECP384GROUP_ECP384
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 GROUP_ECP256GROUP_ECP256
AES256AES256 SHA256SHA256 GROUP_NONEGROUP_NONE
AES256AES256 SHA256SHA256 GROUP_24GROUP_24
AES256AES256 SHA256SHA256 GROUP_14GROUP_14
AES256AES256 SHA256SHA256 GROUP_ECP384GROUP_ECP384
AES256AES256 SHA256SHA256 GROUP_ECP256GROUP_ECP256
AES256AES256 SHA1SHA1 GROUP_NONEGROUP_NONE

对 P2S VPN 网关上配置哪些 TLS 策略?What TLS policies are configured on VPN gateways for P2S?

TLSTLS

策略Policies
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256

如何配置 P2S 连接?How do I configure a P2S connection?

P2S 配置需要相当多的特定步骤。A P2S configuration requires quite a few specific steps. 以下文章包含引导你完成 P2S 配置的步骤,以及用于配置 VPN 客户端设备的链接:The following articles contain the steps to walk you through P2S configuration, and links to configure the VPN client devices:

如何删除 P2S 连接的配置?How do I remove the configuration of a P2S connection?

可以使用 az cli 和以下命令删除 P2S 配置:A P2S configuration can be removed using az cli and the following command :

az network vnet-gateway update --name <gateway-name> --resource-group <resource-group name> --remove "vpnClientConfiguration"

本机 Azure 证书身份验证常见问题解答FAQ for native Azure certificate authentication

在我的点到站点配置中,可以有多少 VPN 客户端终结点?How many VPN client endpoints can I have in my Point-to-Site configuration?

这取决于网关 SKU。It depends on the gateway SKU. 有关支持的连接数的详细信息,请参阅网关 SKUFor more information on the number of connections supported, see Gateway SKUs.

点到站点连接可以用于哪些客户端操作系统?What client operating systems can I use with Point-to-Site?

支持以下客户端操作系统:The following client operating systems are supported:

  • Windows 7(32 位和 64 位)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2(仅 64 位)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1(32 位和 64 位)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012(仅 64 位)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2(仅 64 位)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016(仅 64 位)Windows Server 2016 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 版本 10.11 或更高版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

备注

从 2018 年 7 月 1 日开始,Azure VPN 网关将不再支持 TLS 1.0 和 1.1。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 网关将仅支持 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要维持支持,请参阅更新以支持 TLS1.2To maintain support, see the updates to enable support for TLS1.2.

此外,TLS 也将于 2018 年 7 月 1 日起弃用以下旧算法:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES(数据加密算法)DES (Data Encryption Algorithm)
  • 3DES(三重数据加密算法)3DES (Triple Data Encryption Algorithm)
  • MD5(消息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中启用对 TLS 1.2 的支持?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 右键单击“命令提示符”并选择“以管理员身份运行”,使用提升的权限打开命令提示符。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 请在命令提示符处运行以下命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安装以下更新:Install the following updates:

  4. 重新启动计算机。Reboot the computer.

  5. 连接到 VPN。Connect to the VPN.

备注

如果运行的是旧版本的 Windows 10 (10240),则必须设置上述注册表项。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

能否使用点到站点功能穿越代理和防火墙?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支持三种类型的点到站点 VPN 选项:Azure supports three types of Point-to-site VPN options:

  • 安全套接字隧道协议 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 专用的基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开 443 SSL 使用的出站 TCP 端口。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN.OpenVPN. OpenVPN 是一个基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开 443 SSL 使用的出站 TCP 端口。OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是一种基于标准的 IPsec VPN 解决方案,它使用出站 UDP 端口500和4500以及 IP 协议 no。IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50。50. 防火墙并非始终打开这些端口,因此,IKEv2 VPN 有可能无法穿过代理和防火墙。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果重新启动进行过点到站点配置的客户端计算机,是否会自动重新连接 VPN?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

默认情况下,客户端计算机将不自动重新建立 VPN 连接。By default, the client computer will not reestablish the VPN connection automatically.

点到站点在 VPN 客户端上是否支持自动重新连接和 DDNS?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

点到站点 VPN 中当前不支持自动重新连接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

对于同一虚拟网络,站点到站点和点到站点配置能否共存?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

可以。Yes. 对于资源管理器部署模型,必须为网关使用 RouteBased VPN 类型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 对于经典部署模型,需要一个动态网关。For the classic deployment model, you need a dynamic gateway. 不支持将点到站点配置用于静态路由 VPN 网关或 PolicyBased VPN 网关。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

能否将点到站点客户端配置为同时连接到多个虚拟网络?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

不。No. 点到站点客户端只能连接到虚拟网络网关所在的 VNet 中的资源。A Point-to-Site client can only connect to resources in the VNet in which the virtual network gateway resides.

预计通过站点到站点连接或点到站点连接的吞吐量有多少?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很难维持 VPN 隧道的准确吞吐量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 是重重加密的 VPN 协议。IPsec and SSTP are crypto-heavy VPN protocols. 本地网络与 Internet 之间的延迟和带宽也限制了吞吐量。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 对于仅具有 IKEv2 点到站点 VPN 连接的 VPN 网关,期望可以实现的总吞吐量取决于网关 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 有关吞吐量的详细信息,请参阅网关 SKUFor more information on throughput, see Gateway SKUs.

是否可以将任何软件 VPN 客户端用于支持 SSTP 和/或 IKEv2 的点到站点配置?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

不。No. 只能将 Windows 上的本机 VPN 客户端用于 SSTP,只能将 Mac 上的本机 VPN 客户端用于 IKEv2。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 但是,可以在所有平台上使用 OpenVPN 客户端通过 OpenVPN 协议进行连接。However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. 请参阅支持的客户端操作系统的列表。Refer to the list of supported client operating systems.

Azure 是否支持使用 Windows 的 IKEv2 VPN?Does Azure support IKEv2 VPN with Windows?

在 Windows 10 和 Server 2016 上支持 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 但是,若要使用 IKEv2,必须在本地安装更新并设置注册表项值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 之前的操作系统版本不受支持,只能使用 SSTP 或OpenVPN®协议OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

为运行 IKEv2 准备 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安装更新。Install the update.

    OS 版本OS version 日期Date 编号/链接Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 设置注册表项值。Set the registry key value. 在注册表中创建“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload”REG_DWORD 键或将其设置为 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

为 P2S VPN 连接配置 SSTP 和 IKEv2 时,会发生什么情况?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

在混合环境(包括 Windows 和 Mac 设备)中同时配置了 SSTP 和 IKEv2 时,Windows VPN 客户端始终将先尝试使用 IKEv2 隧道,但如果 IKEv2 连接不成功将回退到 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 将仅通过 IKEv2 进行连接。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 还支持在其他哪些平台上使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支持将 Windows、Mac 和 Linux 用于 P2S VPN。Azure supports Windows, Mac and Linux for P2S VPN.

我已部署 Azure VPN 网关。I already have an Azure VPN Gateway deployed. 是否可在该网关上启用 RADIUS 和/或 IKEv2 VPN?Can I enable RADIUS and/or IKEv2 VPN on it?

是的,可以使用 Powershell 或 Azure 门户在已部署的网关上启用这些新功能,前提是所用网关 SKU 支持 RADIUS 和/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 网关基本 SKU 不支持 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

我是否可以使用自己的内部 PKI 根 CA 为点到站点连接生成证书?Can I use my own internal PKI root CA to generate certificates for Point-to-Site connectivity?

可以。Yes. 以前只可使用自签名根证书。Previously, only self-signed root certificates could be used. 仍可上传 20 个根证书。You can still upload 20 root certificates.

是否可以使用 Azure Key Vault 的证书?Can I use certificates from Azure Key Vault?

不。No.

可以使用哪些工具来创建证书?What tools can I use to create certificates?

可以使用企业 PKI 解决方案(内部 PKI)、Azure PowerShell、MakeCert 和 OpenSSL。You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.

是否有证书设置和参数的说明?Are there instructions for certificate settings and parameters?

  • 内部 PKI/企业 PKI 解决方案: 请参阅生成证书的步骤。Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.

  • Azure PowerShell: 请参阅 Azure PowerShell 一文了解相关步骤。Azure PowerShell: See the Azure PowerShell article for steps.

  • MakeCert: 请参阅 MakeCert 一文了解相关步骤。MakeCert: See the MakeCert article for steps.

  • OpenSSL:OpenSSL:

    • 导出证书时,请务必将根证书转换为 Base64。When exporting certificates, be sure to convert the root certificate to Base64.

    • 对于客户端证书:For the client certificate:

      • 创建私钥时,请将长度指定为 4096。When creating the private key, specify the length as 4096.
      • 创建证书时,对于 -extensions 参数,指定 usr_certWhen creating the certificate, for the -extensions parameter, specify usr_cert.

RADIUS 身份验证常见问题解答FAQ for RADIUS authentication

在我的点到站点配置中,可以有多少 VPN 客户端终结点?How many VPN client endpoints can I have in my Point-to-Site configuration?

这取决于网关 SKU。It depends on the gateway SKU. 有关支持的连接数的详细信息,请参阅网关 SKUFor more information on the number of connections supported, see Gateway SKUs.

点到站点连接可以用于哪些客户端操作系统?What client operating systems can I use with Point-to-Site?

支持以下客户端操作系统:The following client operating systems are supported:

  • Windows 7(32 位和 64 位)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2(仅 64 位)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1(32 位和 64 位)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012(仅 64 位)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2(仅 64 位)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016(仅 64 位)Windows Server 2016 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 版本 10.11 或更高版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

备注

从 2018 年 7 月 1 日开始,Azure VPN 网关将不再支持 TLS 1.0 和 1.1。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 网关将仅支持 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要维持支持,请参阅更新以支持 TLS1.2To maintain support, see the updates to enable support for TLS1.2.

此外,TLS 也将于 2018 年 7 月 1 日起弃用以下旧算法:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES(数据加密算法)DES (Data Encryption Algorithm)
  • 3DES(三重数据加密算法)3DES (Triple Data Encryption Algorithm)
  • MD5(消息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中启用对 TLS 1.2 的支持?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 右键单击“命令提示符”并选择“以管理员身份运行”,使用提升的权限打开命令提示符。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 请在命令提示符处运行以下命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安装以下更新:Install the following updates:

  4. 重新启动计算机。Reboot the computer.

  5. 连接到 VPN。Connect to the VPN.

备注

如果运行的是旧版本的 Windows 10 (10240),则必须设置上述注册表项。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

能否使用点到站点功能穿越代理和防火墙?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支持三种类型的点到站点 VPN 选项:Azure supports three types of Point-to-site VPN options:

  • 安全套接字隧道协议 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 专用的基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开 443 SSL 使用的出站 TCP 端口。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN.OpenVPN. OpenVPN 是一个基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开 443 SSL 使用的出站 TCP 端口。OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是一种基于标准的 IPsec VPN 解决方案,它使用出站 UDP 端口500和4500以及 IP 协议 no。IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50。50. 防火墙并非始终打开这些端口,因此,IKEv2 VPN 有可能无法穿过代理和防火墙。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果重新启动进行过点到站点配置的客户端计算机,是否会自动重新连接 VPN?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

默认情况下,客户端计算机将不自动重新建立 VPN 连接。By default, the client computer will not reestablish the VPN connection automatically.

点到站点在 VPN 客户端上是否支持自动重新连接和 DDNS?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

点到站点 VPN 中当前不支持自动重新连接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

对于同一虚拟网络,站点到站点和点到站点配置能否共存?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

可以。Yes. 对于资源管理器部署模型,必须为网关使用 RouteBased VPN 类型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 对于经典部署模型,需要一个动态网关。For the classic deployment model, you need a dynamic gateway. 不支持将点到站点配置用于静态路由 VPN 网关或 PolicyBased VPN 网关。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

能否将点到站点客户端配置为同时连接到多个虚拟网络?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

不。No. 点到站点客户端只能连接到虚拟网络网关所在的 VNet 中的资源。A Point-to-Site client can only connect to resources in the VNet in which the virtual network gateway resides.

预计通过站点到站点连接或点到站点连接的吞吐量有多少?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很难维持 VPN 隧道的准确吞吐量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 是重重加密的 VPN 协议。IPsec and SSTP are crypto-heavy VPN protocols. 本地网络与 Internet 之间的延迟和带宽也限制了吞吐量。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 对于仅具有 IKEv2 点到站点 VPN 连接的 VPN 网关,期望可以实现的总吞吐量取决于网关 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 有关吞吐量的详细信息,请参阅网关 SKUFor more information on throughput, see Gateway SKUs.

是否可以将任何软件 VPN 客户端用于支持 SSTP 和/或 IKEv2 的点到站点配置?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

不。No. 只能将 Windows 上的本机 VPN 客户端用于 SSTP,只能将 Mac 上的本机 VPN 客户端用于 IKEv2。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 但是,可以在所有平台上使用 OpenVPN 客户端通过 OpenVPN 协议进行连接。However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. 请参阅支持的客户端操作系统的列表。Refer to the list of supported client operating systems.

Azure 是否支持使用 Windows 的 IKEv2 VPN?Does Azure support IKEv2 VPN with Windows?

在 Windows 10 和 Server 2016 上支持 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 但是,若要使用 IKEv2,必须在本地安装更新并设置注册表项值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 之前的操作系统版本不受支持,只能使用 SSTP 或OpenVPN®协议OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

为运行 IKEv2 准备 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安装更新。Install the update.

    OS 版本OS version 日期Date 编号/链接Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 设置注册表项值。Set the registry key value. 在注册表中创建“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload”REG_DWORD 键或将其设置为 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

为 P2S VPN 连接配置 SSTP 和 IKEv2 时,会发生什么情况?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

在混合环境(包括 Windows 和 Mac 设备)中同时配置了 SSTP 和 IKEv2 时,Windows VPN 客户端始终将先尝试使用 IKEv2 隧道,但如果 IKEv2 连接不成功将回退到 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 将仅通过 IKEv2 进行连接。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 还支持在其他哪些平台上使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支持将 Windows、Mac 和 Linux 用于 P2S VPN。Azure supports Windows, Mac and Linux for P2S VPN.

我已部署 Azure VPN 网关。I already have an Azure VPN Gateway deployed. 是否可在该网关上启用 RADIUS 和/或 IKEv2 VPN?Can I enable RADIUS and/or IKEv2 VPN on it?

是的,可以使用 Powershell 或 Azure 门户在已部署的网关上启用这些新功能,前提是所用网关 SKU 支持 RADIUS 和/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 网关基本 SKU 不支持 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

是否所有 Azure VPN 网关 SKU 都支持 RADIUS 身份验证?Is RADIUS authentication supported on all Azure VPN Gateway SKUs?

VpnGw1、VpnGw2 和 VpnGw3 SKU 支持 RADIUS 身份验证。RADIUS authentication is supported for VpnGw1, VpnGw2, and VpnGw3 SKUs. 如果使用的是旧版 SKU,则标准和高性能 SKU 支持 RADIUS 身份验证。If you are using legacy SKUs, RADIUS authentication is supported on Standard and High Performance SKUs. 基本网关 SKU 不支持该身份验证。It is not supported on the Basic Gateway SKU. 

经典部署模型是否支持 RADIUS 身份验证?Is RADIUS authentication supported for the classic deployment model?

否。No. 经典部署模型不支持 RADIUS 身份验证。RADIUS authentication is not supported for the classic deployment model.

是否支持第三方 RADIUS 服务器?Are 3rd-party RADIUS servers supported?

是的,支持第三方 RADIUS 服务器。Yes, 3rd-party RADIUS servers are supported.

若要确保 Azure 网关能够访问本地 RADIUS 服务器,对连接有何要求?What are the connectivity requirements to ensure that the Azure gateway is able to reach an on-premises RADIUS server?

需要具有到本地站点的 VPN 站点到站点连接,并且需要配置正确的路由。A VPN Site-to-Site connection to the on-premises site, with the proper routes configured, is required.  

是否可以通过 ExpressRoute 连接来传送(从 Azure VPN 网关)流向本地 RADIUS 服务器的流量?Can traffic to an on-premises RADIUS server (from the Azure VPN gateway) be routed over an ExpressRoute connection?

否。No. 它只能通过站点到站点连接进行传送。It can only be routed over a Site-to-Site connection.

RADIUS 身份验证支持的 SSTP 连接数是否有变化?Is there a change in the number of SSTP connections supported with RADIUS authentication? 支持的最大 SSTP 和 IKEv2 连接数是多少?What is the maximum number of SSTP and IKEv2 connections supported?

RADIUS 身份验证在网关上支持的最大 SSTP 连接数没有变化。There is no change in the maximum number of SSTP connections supported on a gateway with RADIUS authentication. 对于 SSTP,仍然为 128;但对于 IKEv2,则取决于网关 SKU。It remains 128 for SSTP, but depends on the gateway SKU for IKEv2. 有关支持的连接数的详细信息,请参阅网关 SKU For more information on the number of connections supported, see Gateway SKUs.

使用 RADIUS 服务器执行证书身份验证与使用 Azure 本机证书身份验证执行身份验证(通过将受信任的证书上传到 Azure)之间有何区别。What is the difference between doing certificate authentication using a RADIUS server vs. using Azure native certificate authentication (by uploading a trusted certificate to Azure).

在 RADIUS 证书身份验证中,身份验证请求被转发到处理实际证书验证的 RADIUS 服务器。In RADIUS certificate authentication, the authentication request is forwarded to a RADIUS server that handles the actual certificate validation. 如果希望通过 RADIUS 与已有的证书身份验证基础结构进行集成,则此选项非常有用。This option is useful if you want to integrate with a certificate authentication infrastructure that you already have through RADIUS.

使用 Azure 进行证书身份验证时,由 Azure VPN 网关执行证书验证。When using Azure for certificate authentication, the Azure VPN gateway performs the validation of the certificate. 需要将证书公钥上传到网关。You need to upload your certificate public key to the gateway. 还可以指定不允许进行连接的已吊销证书的列表。You can also specify list of revoked certificates that shouldn’t be allowed to connect.

RADIUS 身份验证是否同时适用于 IKEv2 和 SSTP VPN?Does RADIUS authentication work with both IKEv2, and SSTP VPN?

是的,IKEv2 和 SSTP VPN 都支持 RADIUS 身份验证。Yes, RADIUS authentication is supported for both IKEv2, and SSTP VPN. 

RADIUS 身份验证是否适用于 OpenVPN 客户端?Does RADIUS authentication work with the OpenVPN client?

OpenVPN 客户端不支持 RADIUS 身份验证。RADIUS authentication is not supported for the OpenVPN client.

后续步骤Next Steps

"OpenVPN"是 OpenVPN Inc.的商标"OpenVPN" is a trademark of OpenVPN Inc.