您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 RADIUS 身份验证配置 VNet 的点到站点连接:PowerShellConfigure a Point-to-Site connection to a VNet using RADIUS authentication: PowerShell

本文介绍如何创建一个 VNet,其中具有使用 RADIUS 身份验证的点到站点连接。This article shows you how to create a VNet with a Point-to-Site connection that uses RADIUS authentication. 此配置仅适用于资源管理器部署模型。This configuration is only available for the Resource Manager deployment model.

点到站点 (P2S) VPN 网关用于创建从单个客户端计算机到虚拟网络的安全连接。A Point-to-Site (P2S) VPN gateway lets you create a secure connection to your virtual network from an individual client computer. 要从远程位置连接到 VNet,例如从家里或会议室进行远程通信,则可使用点到站点 VPN。Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location, such as when you are telecommuting from home or a conference. 如果只有一些客户端需要连接到 VNet,则可使用 P2S VPN 这种解决方案来代替站点到站点 VPN。A P2S VPN is also a useful solution to use instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet.

P2S VPN 连接是从 Windows 和 Mac 设备启动的。A P2S VPN connection is started from Windows and Mac devices. 连接方客户端可以使用以下身份验证方法:Connecting clients can use the following authentication methods:

  • RADIUS 服务器RADIUS server
  • VPN 网关本机证书身份验证VPN Gateway native certificate authentication

借助本文可以配置一个使用 RADIUS 服务器进行身份验证的 P2S 配置。This article helps you configure a P2S configuration with authentication using RADIUS server. 如果想要改用生成的证书和 VPN 网关本机证书身份验证进行身份验证,请参阅使用 VPN 网关本机证书身份验证配置 VNet 的点到站点连接If you want to authenticate using generated certificates and VPN gateway native certificate authentication instead, see Configure a Point-to-Site connection to a VNet using VPN gateway native certificate authentication.

连接关系图 - RADIUS

点到站点连接不需要 VPN 设备或面向公众的 IP 地址。Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S 基于 SSTP(安全套接字隧道协议)或 IKEv2 创建 VPN 连接。P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2.

  • SSTP 是基于 SSL 的 VPN 隧道,仅在 Windows 客户端平台上受支持。SSTP is an SSL-based VPN tunnel that is supported only on Windows client platforms. 它可以穿透防火墙,这使得它成为一个可用来从任何位置连接到 Azure 的理想选项。It can penetrate firewalls, which makes it an ideal option to connect to Azure from anywhere. 在服务器端,我们支持 SSTP 1.0、1.1 和 1.2 版。On the server side, we support SSTP versions 1.0, 1.1, and 1.2. 客户端决定要使用的版本。The client decides which version to use. 对于 Windows 8.1 及更高版本,SSTP 默认使用 1.2。For Windows 8.1 and above, SSTP uses 1.2 by default.

  • IKEv2 VPN,这是一种基于标准的 IPsec VPN 解决方案。IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN 可用于从 Mac 设备进行连接(OSX 10.11 和更高版本)。IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).

P2S 连接有以下要求:P2S connections require the following:

  • RouteBased VPN 网关。A RouteBased VPN gateway. 
  • 用于处理用户身份验证的 RADIUS 服务器。A RADIUS server to handle user authentication. 可将 RADIUS 服务器部署在本地或 Azure VNet 中。The RADIUS server can be deployed on-premises, or in the Azure VNet.
  • 要连接到 VNet 的 Windows 设备的 VPN 客户端配置包。A VPN client configuration package for the Windows devices that will connect to the VNet. VPN 客户端配置包提供 VPN 客户端通过 P2S 进行连接所需的设置。A VPN client configuration package provides the settings required for a VPN client to connect over P2S.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

关于 P2S VPN 的 Active Directory (AD) 域身份验证About Active Directory (AD) Domain Authentication for P2S VPNs

AD 域身份验证可让用户使用其组织域凭据登录到 Azure。AD Domain authentication allows users to sign in to Azure using their organization domain credentials. 它需要一台与 AD 服务器集成的 RADIUS 服务器。It requires a RADIUS server that integrates with the AD server. 组织也可以利用其现有的 RADIUS 部署。Organizations can also leverage their existing RADIUS deployment.

RADIUS 服务器可以驻留在本地或 Azure VNet 中。The RADIUS server can reside on-premises, or in your Azure VNet. 在身份验证期间,VPN 网关充当传递设备,在 RADIUS 服务器与连接方设备之间来回转发身份验证消息。During authentication, the VPN gateway acts as a pass-through and forwards authentication messages back and forth between the RADIUS server and the connecting device. VPN 网关必须能够访问 RADIUS 服务器。It's important for the VPN gateway to be able to reach the RADIUS server. 如果 RADIUS 服务器位于本地,需要建立从 Azure 到本地站点的 VPN 站点到站点连接。If the RADIUS server is located on-premises, then a VPN Site-to-Site connection from Azure to the on-premises site is required.

除了 Active Directory 以外,RADIUS 服务器还能与其他外部标识系统集成。Apart from Active Directory, a RADIUS server can also integrate with other external identity systems. 这样就为点到站点 VPN 提供了大量的身份验证选项,包括 MFA 选项。This opens up plenty of authentication options for Point-to-Site VPNs, including MFA options. 请查看 RADIUS 服务器供应商文档,获取该服务器可集成的标识系统列表。Check your RADIUS server vendor documentation to get the list of identity systems it integrates with.

连接关系图 - RADIUS

重要

只能使用 VPN 站点到站点连接来与本地 RADIUS 服务器建立连接,Only a VPN Site-to-Site connection can be used for connecting to a RADIUS server on-premises. 而不能使用 ExpressRoute 连接。An ExpressRoute connection cannot be used.

开始之前Before beginning

确保拥有 Azure 订阅。Verify that you have an Azure subscription. 如果还没有 Azure 订阅,可以激活 MSDN 订户权益或注册获取免费帐户If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

本文使用 PowerShell cmdlet。This article uses PowerShell cmdlets. 若要运行这些 cmdlet,可以使用 Azure Cloud Shell(在 Azure 中托管并通过浏览器使用的交互式 shell 环境)。To run the cmdlets, you can use Azure Cloud Shell, an interactive shell environment hosted in Azure and used through the browser. Azure Cloud Shell 随预安装的 Azure PowerShell cmdlet 一起提供。Azure Cloud Shell comes with the Azure PowerShell cmdlets pre-installed.

若要在 Azure Cloud Shell 上运行本文中包含的任何代码,请打开 Cloud Shell 会话,对代码块使用“复制”按钮以复制代码,然后使用 Ctrl + Shift + V(在 Windows 和 Linux 上)或 Cmd + Shift + V(在 macOS 上)将其粘贴到 Cloud Shell 会话中。To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. 粘贴的文本不会自动执行,因此请按 Enter 运行代码。Pasted text is not automatically executed, so press Enter to run code.

可以通过以下方式启动 Azure Cloud Shell:You can launch Azure Cloud Shell with:

选择代码块右上角的“试用”。Select Try It in the upper-right corner of a code block. 这__不__会自动将文本复制到 Cloud Shell。This doesn't automatically copy text to Cloud Shell. Azure Cloud Shell 的“试用”示例
在浏览器中打开 shell.azure.comOpen shell.azure.com in your browser. “启动 Azure Cloud Shell”按钮Launch Azure Cloud Shell button
选择 Azure 门户右上角菜单上的“Cloud Shell”按钮。Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. Azure 门户中的“Cloud Shell”按钮

在本地运行 PowerShellRunning PowerShell locally

还可以在计算机本地安装并运行 Azure PowerShell cmdlet。You can also install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlet 经常更新。PowerShell cmdlets are updated frequently. 如果未运行最新版本,在说明中指定的值可能无法使用。If you are not running the latest version, the values specified in the instructions may fail. 若要查找计算机上安装的 Azure PowerShell 的版本,请使用Get-Module -ListAvailable Az cmdlet。To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. 若要进行安装或更新,请参阅安装 Azure PowerShell 模块To install or update, see Install the Azure PowerShell module.

示例值Example values

可使用示例值创建测试环境,或参考这些值以更好地理解本文中的示例。You can use the example values to create a test environment, or refer to these values to better understand the examples in this article. 可以将这些步骤用作演练并使用这些值而不更改它们,也可以更改这些值以反映自己的环境。You can either use the steps as a walk-through and use the values without changing them, or change them to reflect your environment.

  • 名称:VNet1Name: VNet1
  • 地址空间:192.168.0.0/1610.254.0.0/16Address space: 192.168.0.0/16 and 10.254.0.0/16
    本示例中使用了多个地址空间,说明此配置可与多个地址空间一起使用。For this example, we use more than one address space to illustrate that this configuration works with multiple address spaces. 但是,对于此配置,多个地址空间并不必要。However, multiple address spaces are not required for this configuration.
  • 子网名称:FrontEndSubnet name: FrontEnd
    • 子网地址范围:192.168.1.0/24Subnet address range: 192.168.1.0/24
  • 子网名称:BackEndSubnet name: BackEnd
    • 子网地址范围:10.254.1.0/24Subnet address range: 10.254.1.0/24
  • 子网名称:GatewaySubnetSubnet name: GatewaySubnet
    要使 VPN 网关正常工作,必须使用子网名称 GatewaySubnet 。The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
    • GatewaySubnet 地址范围:192.168.200.0/24GatewaySubnet address range: 192.168.200.0/24
  • VPN 客户端地址池:172.16.201.0/24VPN client address pool: 172.16.201.0/24
    使用此点到站点连接连接到 VNet 的 VPN 客户端接收来自 VPN 客户端地址池的 IP 地址。VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the VPN client address pool.
  • 订阅: 如果有多个订阅,请验证是否正在使用正确的订阅。Subscription: If you have more than one subscription, verify that you are using the correct one.
  • 资源组:TestRGResource Group: TestRG
  • 位置:美国东部Location: East US
  • DNS 服务器: 用于 VNet 名称解析的 DNS 服务器的 IP 地址。DNS Server: IP address of the DNS server that you want to use for name resolution for your VNet. (可选)(optional)
  • GW 名称:Vnet1GWGW Name: Vnet1GW
  • 公共 IP 名称:VNet1GWPIPPublic IP name: VNet1GWPIP
  • VpnType:RouteBasedVpnType: RouteBased

登录并设置变量Sign in and set variables

使用提升的权限打开 PowerShell 控制台。Open your PowerShell console with elevated privileges.

如果要在本地运行 Azure PowerShell,请连接到 Azure 帐户。If you are running Azure PowerShell locally, connect to your Azure account. Connect-AzureRmAccount cmdlet 会提示输入凭据 。The Connect-AzAccount cmdlet prompts you for credentials. 进行身份验证后,它会下载帐户设置,以便 Azure PowerShell 可以使用这些设置。After authenticating, it downloads your account settings so that they are available to Azure PowerShell. 如果未在本地运行 PowerShell,而是在浏览器中使用 Azure Cloud Shell“试用”,请跳过此第一步。If you are not running PowerShell locally and are instead using the Azure Cloud Shell 'Try it' in the browser, skip this first step. 你将自动连接到 Azure 帐户。You will connect to your Azure account automatically.

Connect-AzAccount

如果有多个订阅,请获取 Azure 订阅的列表。If you have more than one subscription, get a list of your Azure subscriptions.

Get-AzSubscription

指定要使用的订阅。Specify the subscription that you want to use.

Select-AzSubscription -SubscriptionName "Name of subscription"

声明变量Declare variables

声明要使用的值。Declare the variables that you want to use. 使用以下示例,在必要时会值替换为自己的值。Use the following sample, substituting the values for your own when necessary. 如果在练习期间的任何时候关闭了 PowerShell/Cloud Shell 会话,只需再次复制和粘贴该值,重新声明变量。If you close your PowerShell/Cloud Shell session at any point during the exercise, just copy and paste the values again to re-declare the variables.

$VNetName  = "VNet1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$RG = "TestRG"
$Location = "East US"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"

1.创建资源组、VNet 和公共 IP 地址1. Create the resource group, VNet, and Public IP address

以下步骤在包含三个子网的资源组中创建资源组和虚拟网络。The following steps create a resource group and a virtual network in the resource group with three subnets. 替换值时,请务必始终将网关子网特意命名为“GatewaySubnet”。When substituting values, it's important that you always name your gateway subnet specifically 'GatewaySubnet'. 如果命名为其他名称,网关创建会失败;If you name it something else, your gateway creation fails;

  1. 创建资源组。Create a resource group.

    New-AzResourceGroup -Name "TestRG" -Location "East US"
    
  2. 为虚拟网络创建子网配置,并将其命名为 FrontEnd 、BackEnd 和 GatewaySubnet 。Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and GatewaySubnet. 这些前缀必须是已声明的 VNet 地址空间的一部分。These prefixes must be part of the VNet address space that you declared.

    $fesub = New-AzVirtualNetworkSubnetConfig -Name "FrontEnd" -AddressPrefix "192.168.1.0/24"  
    $besub = New-AzVirtualNetworkSubnetConfig -Name "Backend" -AddressPrefix "10.254.1.0/24"  
    $gwsub = New-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix "192.168.200.0/24"
    
  3. 创建虚拟网络。Create the virtual network.

    在本示例中,-DnsServer 服务器参数是可选的。In this example, the -DnsServer server parameter is optional. 指定一个值不会创建新的 DNS 服务器。Specifying a value does not create a new DNS server. 指定的 DNS 服务器 IP 地址应该是可以解析从 VNet 所连接到的资源名称的 DNS 服务器。The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to from your VNet. 对于此示例,我们使用了专用 IP 地址,但这可能不是你 DNS 服务器的 IP 地址。For this example, we used a private IP address, but it is likely that this is not the IP address of your DNS server. 请务必使用自己的值。Be sure to use your own values. 指定的值将由部署到 VNet 的资源使用,而不是由 P2S 连接使用。The value you specify is used by the resources that you deploy to the VNet, not by the P2S connection.

    New-AzVirtualNetwork -Name "VNet1" -ResourceGroupName "TestRG" -Location "East US" -AddressPrefix "192.168.0.0/16","10.254.0.0/16" -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3
    
  4. VPN 网关必须具有公共 IP 地址。A VPN gateway must have a Public IP address. 请先请求 IP 地址资源,然后在创建虚拟网关时参阅该资源。You first request the IP address resource, and then refer to it when creating your virtual network gateway. 创建 VPN 网关时,IP 地址是动态分配给资源的。The IP address is dynamically assigned to the resource when the VPN gateway is created. VPN 网关当前仅支持动态 公共 IP 地址分配。VPN Gateway currently only supports Dynamic Public IP address allocation. 不能请求静态公共 IP 地址分配。You cannot request a Static Public IP address assignment. 但这并不意味着 IP 地址在分配到 VPN 网关后会更改。However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    指定用于请求动态分配的公共 IP 地址的变量。Specify the variables to request a dynamically assigned Public IP address.

    $vnet = Get-AzVirtualNetwork -Name "VNet1" -ResourceGroupName "TestRG"  
    $subnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet 
    $pip = New-AzPublicIpAddress -Name "VNet1GWPIP" -ResourceGroupName "TestRG" -Location "East US" -AllocationMethod Dynamic 
    $ipconf = New-AzVirtualNetworkGatewayIpConfig -Name "gwipconf" -Subnet $subnet -PublicIpAddress $pip
    

2.设置 RADIUS 服务器2. Set up your RADIUS server

在创建和配置虚拟网络网关之前,应该正确配置 RADIUS 服务器,以便能够进行身份验证。Before creating and configuring the virtual network gateway, your RADIUS server should be configured correctly for authentication.

  1. 如果未部署 RADIUS 服务器,请部署一个。If you don’t have a RADIUS server deployed, deploy one. 有关部署步骤,请参阅 RADIUS 供应商提供的设置指南。For deployment steps, refer to the setup guide provided by your RADIUS vendor.  
  2. 将 VPN 网关配置为 RADIUS 上的 RADIUS 客户端。Configure the VPN gateway as a RADIUS client on the RADIUS. 添加此 RADIUS 客户端时,请指定创建的虚拟网络 GatewaySubnet。When adding this RADIUS client, specify the virtual network GatewaySubnet that you created. 
  3. 设置 RADIUS 服务器后,获取 RADIUS 服务器的 IP 地址和共享机密,RADIUS 客户端将使用这些信息来与 RADIUS 服务器通信。Once the RADIUS server is set up, get the RADIUS server's IP address and the shared secret that RADIUS clients should use to talk to the RADIUS server. 如果 RADIUS 服务器在 Azure VNet 中,请使用 RADIUS 服务器 VM 的 CA IP。If the RADIUS server is in the Azure VNet, use the CA IP of the RADIUS server VM.

网络策略服务器 (NPS) 一文提供了有关为 AD 域身份验证配置 Windows RADIUS 服务器 (NPS) 的指导。The Network Policy Server (NPS) article provides guidance about configuring a Windows RADIUS server (NPS) for AD domain authentication.

3.创建 VPN 网关3. Create the VPN gateway

为 VNet 配置和创建 VPN 网关。Configure and create the VPN gateway for your VNet.

  • -GatewayType 必须是“Vpn”,-VpnType 必须是“RouteBased”。The -GatewayType must be 'Vpn' and the -VpnType must be 'RouteBased'.
  • VPN 网关可能需要长达 45 分钟的时间才能完成,具体取决于所选的 网关 SKU 。A VPN gateway can take up to 45 minutes to complete, depending on the gateway SKU you select.
New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG `
-Location $Location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1

4.添加 RADIUS 服务器和客户端地址池4. Add the RADIUS server and client address pool

  • 可按名称或 IP 地址指定 -RadiusServer。The -RadiusServer can be specified by name or by IP address. 如果指定名称并且服务器驻留在本地,VPN 网关可能无法解析名称。If you specify the name and the server resides on-premises, then the VPN gateway may not be able to resolve the name. 如果出现这种情况,最好是指定服务器的 IP 地址。If that’s the case, then it's better to specify the IP address of the server. 
  • -RadiusSecret 应该与 RADIUS 服务器上配置的值匹配。The -RadiusSecret should match what is configured on your RADIUS server.
  • -VpnClientAddressPool 是连接方 VPN 客户端在连接时要从中接收 IP 地址的范围。The -VpnClientAddressPool is the range from which the connecting VPN clients receive an IP address. 使用专用 IP 地址范围时,该范围不得与要通过其进行连接的本地位置重叠,也不得与要连接到其中的 VNet 重叠。 Use a private IP address range that does not overlap with the on-premises location that you will connect from, or with the VNet that you want to connect to. 请确保配置足够大的地址池。Ensure that you have a large enough address pool configured.  
  1. 为 RADIUS 机密创建安全字符串。Create a secure string for the RADIUS secret.

    $Secure_Secret=Read-Host -AsSecureString -Prompt "RadiusSecret"
    
  2. 系统会提示输入 RADIUS 机密。You are prompted to enter the RADIUS secret. 输入的字符不会显示,而是被“*”字符取代。The characters that you enter will not be displayed and instead will be replaced by the "*" character.

    RadiusSecret:***
    
  3. 添加 VPN 客户端地址池和 RADIUS 服务器信息。Add the VPN client address pool and the RADIUS server information.

    对于 SSTP 配置:For SSTP configurations:

    $Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
    -VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol "SSTP" `
    -RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
    

    对于 IKEv2 配置:For IKEv2 configurations:

    $Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
    -VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol "IKEv2" `
    -RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
    

    对于 SSTP + IKEv2For SSTP + IKEv2

    $Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
    -VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol @( "SSTP", "IkeV2" ) `
    -RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
    

5.下载 VPN 客户端配置包并设置 VPN 客户端5. Download the VPN client configuration package and set up the VPN client

VPN 客户端配置可让设备通过 P2S 连接来与 VNet 建立连接。The VPN client configuration lets devices connect to a VNet over a P2S connection. 若要生成 VPN 客户端配置包并设置 VPN 客户端,请参阅为 RADIUS 身份验证创建 VPN 客户端配置 To generate a VPN client configuration package and set up the VPN client, see Create a VPN Client Configuration for RADIUS authentication.

6.连接到 Azure6. Connect to Azure

从 Windows VPN 客户端进行连接To connect from a Windows VPN client

  1. 若要连接到 VNet,请在客户端计算机上导航到 VPN 连接,找到创建的 VPN 连接。To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN connection that you created. 其名称与虚拟网络的名称相同。It is named the same name as your virtual network. 输入域凭据,单击“连接”。Enter your domain credentials and click 'Connect'. 此时会显示一条弹出消息,请求以提升的权限操作。A pop-up message requesting elevated rights appears. 请接受请求并输入凭据。Accept it and enter the credentials.

    VPN 客户端连接到 Azure

  2. 连接已建立。Your connection is established.

    已建立连接

从 Mac VPN 客户端进行连接Connect from a Mac VPN client

在“网络”对话框中,找到要使用的客户端配置文件,单击“连接”。 From the Network dialog box, locate the client profile that you want to use, then click Connect.

Mac 连接

验证连接To verify your connection

  1. 要验证 VPN 连接是否处于活动状态,请打开提升的命令提示符,然后运行 ipconfig/allTo verify that your VPN connection is active, open an elevated command prompt, and run ipconfig/all.

  2. 查看结果。View the results. 请注意,收到的 IP 地址是在配置中指定的点到站点 VPN 客户端地址池中的地址之一。Notice that the IP address you received is one of the addresses within the Point-to-Site VPN Client Address Pool that you specified in your configuration. 结果与以下示例类似:The results are similar to this example:

    PPP adapter VNet1:
       Connection-specific DNS Suffix .:
       Description.....................: VNet1
       Physical Address................:
       DHCP Enabled....................: No
       Autoconfiguration Enabled.......: Yes
       IPv4 Address....................: 172.16.201.3(Preferred)
       Subnet Mask.....................: 255.255.255.255
       Default Gateway.................:
       NetBIOS over Tcpip..............: Enabled
    

若要对 P2S 连接进行故障排除,请参阅排查 Azure 点到站点连接问题To troubleshoot a P2S connection, see Troubleshooting Azure point-to-site connections.

连接到虚拟机To connect to a virtual machine

可以连接到已部署到 VNet 的 VM,方法是创建到 VM 的远程桌面连接。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 若要通过初始验证来确认能否连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 这种方式是测试能否进行连接,而不是测试名称解析是否已正确配置。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位专用 IP 地址。Locate the private IP address. 查找 VM 的专用 IP 地址时,可以通过 Azure 门户或 PowerShell 查看 VM 的属性。You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.

    • Azure 门户 - 在 Azure 门户中定位虚拟机。Azure portal - Locate your virtual machine in the Azure portal. 查看 VM 的属性。View the properties for the VM. 专用 IP 地址已列出。The private IP address is listed.

    • PowerShell - 通过此示例查看资源组中的 VM 和专用 IP 地址的列表。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 在使用此示例之前不需对其进行修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. 验证你是否已使用点到站点 VPN 连接连接到 VNet。Verify that you are connected to your VNet using the Point-to-Site VPN connection.

  3. 打开远程桌面连接,方法是:在任务栏的搜索框中键入“RDP”或“远程桌面连接”,并选择“远程桌面连接”。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 也可在 PowerShell 中使用“mstsc”命令打开远程桌面连接。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在远程桌面连接中,输入 VM 的专用 IP 地址。In Remote Desktop Connection, enter the private IP address of the VM. 可以通过单击“显示选项”来调整其他设置,并进行连接。You can click "Show Options" to adjust additional settings, then connect.

排查到 VM 的 RDP 连接的问题To troubleshoot an RDP connection to a VM

如果无法通过 VPN 连接连接到虚拟机,请查看以下项目:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.
  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you are connecting to the private IP address for the VM.
  • 使用“ipconfig”检查分配给以太网适配器的 IPv4 地址,该适配器所在的计算机正是你要从其进行连接的计算机。Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are connecting. 如果该 IP 地址位于要连接到的 VNet 的地址范围内,或者位于 VPNClientAddressPool 的地址范围内,则称为地址空间重叠。If the IP address is within the address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. 当地址空间以这种方式重叠时,网络流量不会抵达 Azure,而是呆在本地网络中。When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • 验证是否在为 VNet 指定 DNS 服务器 IP 地址之后,才生成 VPN 客户端配置包。Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the VNet. 如果更新了 DNS 服务器 IP 地址,请生成并安装新的 VPN 客户端配置包。If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.
  • 若要详细了解 RDP 连接,请参阅排查远程桌面连接到 VM 的问题For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

常见问题解答FAQ

本“常见问题解答”文章适用于使用 RADIUS 身份验证的 P2SThis FAQ applies to P2S using RADIUS authentication

在我的点到站点配置中,可以有多少 VPN 客户端终结点?How many VPN client endpoints can I have in my Point-to-Site configuration?

这取决于网关 SKU。It depends on the gateway SKU. 有关支持的连接数的详细信息,请参阅网关 SKUFor more information on the number of connections supported, see Gateway SKUs.

点到站点连接可以用于哪些客户端操作系统?What client operating systems can I use with Point-to-Site?

支持以下客户端操作系统:The following client operating systems are supported:

  • Windows 7(32 位和 64 位)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2(仅 64 位)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1(32 位和 64 位)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012(仅 64 位)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2(仅 64 位)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016(仅 64 位)Windows Server 2016 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 版本 10.11 或更高版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

备注

从 2018 年 7 月 1 日开始,Azure VPN 网关将不再支持 TLS 1.0 和 1.1。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 网关将仅支持 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要维持支持,请参阅更新以支持 TLS1.2To maintain support, see the updates to enable support for TLS1.2.

此外,TLS 也将于 2018 年 7 月 1 日起弃用以下旧算法:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES(数据加密算法)DES (Data Encryption Algorithm)
  • 3DES(三重数据加密算法)3DES (Triple Data Encryption Algorithm)
  • MD5(消息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中启用对 TLS 1.2 的支持?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 右键单击“命令提示符”并选择“以管理员身份运行”,使用提升的权限打开命令提示符。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 请在命令提示符处运行以下命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安装以下更新:Install the following updates:

  4. 重新启动计算机。Reboot the computer.

  5. 连接到 VPN。Connect to the VPN.

备注

如果运行的是旧版本的 Windows 10 (10240),则必须设置上述注册表项。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

能否使用点到站点功能穿越代理和防火墙?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支持三种类型的点到站点 VPN 选项:Azure supports three types of Point-to-site VPN options:

  • 安全套接字隧道协议 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 专用的基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开 443 SSL 使用的出站 TCP 端口。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN.OpenVPN. OpenVPN 是一个基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开 443 SSL 使用的出站 TCP 端口。OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是一种基于标准的 IPsec VPN 解决方案,它使用出站 UDP 端口500和4500以及 IP 协议 no。IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50。50. 防火墙并非始终打开这些端口,因此,IKEv2 VPN 有可能无法穿过代理和防火墙。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果重新启动进行过点到站点配置的客户端计算机,是否会自动重新连接 VPN?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

默认情况下,客户端计算机将不自动重新建立 VPN 连接。By default, the client computer will not reestablish the VPN connection automatically.

点到站点在 VPN 客户端上是否支持自动重新连接和 DDNS?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

点到站点 VPN 中当前不支持自动重新连接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

对于同一虚拟网络,站点到站点和点到站点配置能否共存?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

可以。Yes. 对于资源管理器部署模型,必须为网关使用 RouteBased VPN 类型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 对于经典部署模型,需要一个动态网关。For the classic deployment model, you need a dynamic gateway. 不支持将点到站点配置用于静态路由 VPN 网关或 PolicyBased VPN 网关。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

能否将点到站点客户端配置为同时连接到多个虚拟网络?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

不。No. 点到站点客户端只能连接到虚拟网络网关所在的 VNet 中的资源。A Point-to-Site client can only connect to resources in the VNet in which the virtual network gateway resides.

预计通过站点到站点连接或点到站点连接的吞吐量有多少?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很难维持 VPN 隧道的准确吞吐量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 是重重加密的 VPN 协议。IPsec and SSTP are crypto-heavy VPN protocols. 本地网络与 Internet 之间的延迟和带宽也限制了吞吐量。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 对于仅具有 IKEv2 点到站点 VPN 连接的 VPN 网关,期望可以实现的总吞吐量取决于网关 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 有关吞吐量的详细信息,请参阅网关 SKUFor more information on throughput, see Gateway SKUs.

是否可以将任何软件 VPN 客户端用于支持 SSTP 和/或 IKEv2 的点到站点配置?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

不。No. 只能将 Windows 上的本机 VPN 客户端用于 SSTP,只能将 Mac 上的本机 VPN 客户端用于 IKEv2。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 但是,可以在所有平台上使用 OpenVPN 客户端通过 OpenVPN 协议进行连接。However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. 请参阅支持的客户端操作系统的列表。Refer to the list of supported client operating systems.

Azure 是否支持使用 Windows 的 IKEv2 VPN?Does Azure support IKEv2 VPN with Windows?

在 Windows 10 和 Server 2016 上支持 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 但是,若要使用 IKEv2,必须在本地安装更新并设置注册表项值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 之前的操作系统版本不受支持,只能使用 SSTP 或OpenVPN®协议OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

为运行 IKEv2 准备 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安装更新。Install the update.

    OS 版本OS version 日期Date 编号/链接Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 设置注册表项值。Set the registry key value. 在注册表中创建“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload”REG_DWORD 键或将其设置为 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

为 P2S VPN 连接配置 SSTP 和 IKEv2 时,会发生什么情况?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

在混合环境(包括 Windows 和 Mac 设备)中同时配置了 SSTP 和 IKEv2 时,Windows VPN 客户端始终将先尝试使用 IKEv2 隧道,但如果 IKEv2 连接不成功将回退到 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 将仅通过 IKEv2 进行连接。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 还支持在其他哪些平台上使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支持将 Windows、Mac 和 Linux 用于 P2S VPN。Azure supports Windows, Mac and Linux for P2S VPN.

我已部署 Azure VPN 网关。I already have an Azure VPN Gateway deployed. 是否可在该网关上启用 RADIUS 和/或 IKEv2 VPN?Can I enable RADIUS and/or IKEv2 VPN on it?

是的,可以使用 Powershell 或 Azure 门户在已部署的网关上启用这些新功能,前提是所用网关 SKU 支持 RADIUS 和/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 网关基本 SKU 不支持 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

是否所有 Azure VPN 网关 SKU 都支持 RADIUS 身份验证?Is RADIUS authentication supported on all Azure VPN Gateway SKUs?

VpnGw1、VpnGw2 和 VpnGw3 SKU 支持 RADIUS 身份验证。RADIUS authentication is supported for VpnGw1, VpnGw2, and VpnGw3 SKUs. 如果使用的是旧版 SKU,则标准和高性能 SKU 支持 RADIUS 身份验证。If you are using legacy SKUs, RADIUS authentication is supported on Standard and High Performance SKUs. 基本网关 SKU 不支持该身份验证。It is not supported on the Basic Gateway SKU. 

经典部署模型是否支持 RADIUS 身份验证?Is RADIUS authentication supported for the classic deployment model?

否。No. 经典部署模型不支持 RADIUS 身份验证。RADIUS authentication is not supported for the classic deployment model.

是否支持第三方 RADIUS 服务器?Are 3rd-party RADIUS servers supported?

是的,支持第三方 RADIUS 服务器。Yes, 3rd-party RADIUS servers are supported.

若要确保 Azure 网关能够访问本地 RADIUS 服务器,对连接有何要求?What are the connectivity requirements to ensure that the Azure gateway is able to reach an on-premises RADIUS server?

需要具有到本地站点的 VPN 站点到站点连接,并且需要配置正确的路由。A VPN Site-to-Site connection to the on-premises site, with the proper routes configured, is required.  

是否可以通过 ExpressRoute 连接来传送(从 Azure VPN 网关)流向本地 RADIUS 服务器的流量?Can traffic to an on-premises RADIUS server (from the Azure VPN gateway) be routed over an ExpressRoute connection?

否。No. 它只能通过站点到站点连接进行传送。It can only be routed over a Site-to-Site connection.

RADIUS 身份验证支持的 SSTP 连接数是否有变化?Is there a change in the number of SSTP connections supported with RADIUS authentication? 支持的最大 SSTP 和 IKEv2 连接数是多少?What is the maximum number of SSTP and IKEv2 connections supported?

RADIUS 身份验证在网关上支持的最大 SSTP 连接数没有变化。There is no change in the maximum number of SSTP connections supported on a gateway with RADIUS authentication. 对于 SSTP,仍然为 128;但对于 IKEv2,则取决于网关 SKU。It remains 128 for SSTP, but depends on the gateway SKU for IKEv2. 有关支持的连接数的详细信息,请参阅网关 SKU For more information on the number of connections supported, see Gateway SKUs.

使用 RADIUS 服务器执行证书身份验证与使用 Azure 本机证书身份验证执行身份验证(通过将受信任的证书上传到 Azure)之间有何区别。What is the difference between doing certificate authentication using a RADIUS server vs. using Azure native certificate authentication (by uploading a trusted certificate to Azure).

在 RADIUS 证书身份验证中,身份验证请求被转发到处理实际证书验证的 RADIUS 服务器。In RADIUS certificate authentication, the authentication request is forwarded to a RADIUS server that handles the actual certificate validation. 如果希望通过 RADIUS 与已有的证书身份验证基础结构进行集成,则此选项非常有用。This option is useful if you want to integrate with a certificate authentication infrastructure that you already have through RADIUS.

使用 Azure 进行证书身份验证时,由 Azure VPN 网关执行证书验证。When using Azure for certificate authentication, the Azure VPN gateway performs the validation of the certificate. 需要将证书公钥上传到网关。You need to upload your certificate public key to the gateway. 还可以指定不允许进行连接的已吊销证书的列表。You can also specify list of revoked certificates that shouldn’t be allowed to connect.

RADIUS 身份验证是否同时适用于 IKEv2 和 SSTP VPN?Does RADIUS authentication work with both IKEv2, and SSTP VPN?

是的,IKEv2 和 SSTP VPN 都支持 RADIUS 身份验证。Yes, RADIUS authentication is supported for both IKEv2, and SSTP VPN. 

RADIUS 身份验证是否适用于 OpenVPN 客户端?Does RADIUS authentication work with the OpenVPN client?

OpenVPN 客户端不支持 RADIUS 身份验证。RADIUS authentication is not supported for the OpenVPN client.

后续步骤Next steps

连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 有关详细信息,请参阅虚拟机For more information, see Virtual Machines. 若要详细了解网络和虚拟机,请参阅 Azure 和 Linux VM 网络概述To understand more about networking and virtual machines, see Azure and Linux VM network overview.