您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

关于用于站点到站点 VPN 网关连接的 VPN 设备和 IPsec/IKE 参数About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections

通过 VPN 网关配置站点到站点 (S2S) 跨界 VPN 连接需要用到 VPN 设备。A VPN device is required to configure a Site-to-Site (S2S) cross-premises VPN connection using a VPN gateway. 在创建混合解决方案时,或者每想要在本地网络与虚拟网络之间建立安全连接时,可以使用站点到站点连接。Site-to-Site connections can be used to create a hybrid solution, or whenever you want secure connections between your on-premises networks and your virtual networks. 本文提供了一个已验证 VPN 设备的列表,以及一个适用于 VPN 网关的 IPsec/IKE 参数的列表。This article provides a list of validated VPN devices and a list of IPsec/IKE parameters for VPN gateways.

重要

如果遇到本地 VPN 设备与 VPN 网关之间的连接问题,请参阅已知的设备兼容性问题If you are experiencing connectivity issues between your on-premises VPN devices and VPN gateways, refer to Known device compatibility issues.

查看表时的注意事项:Items to note when viewing the tables:

  • Azure VPN 网关的术语已更改。There has been a terminology change for Azure VPN gateways. 只有名称已更改。Only the names have changed. 没有功能更改。There is no functionality change.
    • 静态路由 = PolicyBasedStatic Routing = PolicyBased
    • 动态路由 = RouteBasedDynamic Routing = RouteBased
  • 除非另有说明,否则高性能 VPN 网关和 RouteBased VPN 网关的规范相同。Specifications for HighPerformance VPN gateway and RouteBased VPN gateway are the same, unless otherwise noted. 例如,经验证与 RouteBased VPN 网关兼容的 VPN 设备也与高性能 VPN 网关兼容。For example, the validated VPN devices that are compatible with RouteBased VPN gateways are also compatible with the HighPerformance VPN gateway.

验证的 VPN 设备和设备配置指南Validated VPN devices and device configuration guides

我们在与设备供应商合作的过程中验证了一系列的标准 VPN 设备。In partnership with device vendors, we have validated a set of standard VPN devices. 以下列表的设备系列中的所有设备都应适用于 VPN 网关。All of the devices in the device families in the following list should work with VPN gateways. 请参阅关于 VPN 网关设置,了解如何将 VPN 类型(PolicyBased 或 RouteBased)用于要配置的 VPN 网关解决方案。See About VPN Gateway Settings to understand the VPN type use (PolicyBased or RouteBased) for the VPN Gateway solution you want to configure.

若要获取配置 VPN 设备的帮助,请参考相应设备系列所对应的链接。To help configure your VPN device, refer to the links that correspond to the appropriate device family. 我们会尽力提供各种配置说明链接。The links to configuration instructions are provided on a best-effort basis. 如需 VPN 设备支持,请联系设备制造商。For VPN device support, contact your device manufacturer.

供应商Vendor 设备系列Device family 最低操作系统版本Minimum OS version PolicyBased 配置说明PolicyBased configuration instructions RouteBased 配置说明RouteBased configuration instructions
A10 Networks, Inc.A10 Networks, Inc. Thunder CFWThunder CFW ACOS 4.1.1ACOS 4.1.1 不兼容Not compatible 配置指南Configuration guide
Allied TelesisAllied Telesis AR 系列 VPN 路由器AR Series VPN Routers AR 系列 5.4.7+AR-Series 5.4.7+ 即将支持Coming soon 配置指南Configuration guide
Barracuda Networks, Inc.Barracuda Networks, Inc. Barracuda NextGen Firewall F-seriesBarracuda NextGen Firewall F-series PolicyBased:5.4.3PolicyBased: 5.4.3
RouteBased:6.2.0RouteBased: 6.2.0
配置指南Configuration guide 配置指南Configuration guide
Barracuda Networks, Inc.Barracuda Networks, Inc. Barracuda NextGen Firewall X-seriesBarracuda NextGen Firewall X-series Barracuda Firewall 6.5Barracuda Firewall 6.5 配置指南Configuration guide 不兼容Not compatible
检查点Check Point 安全网关Security Gateway R80.10R80.10 配置指南Configuration guide 配置指南Configuration guide
CiscoCisco ASAASA 8.38.3
8.4+ (IKEv2*)8.4+ (IKEv2*)
支持Supported 配置指南*Configuration guide*
CiscoCisco ASRASR PolicyBased:IOS 15.1PolicyBased: IOS 15.1
RouteBased:IOS 15.2RouteBased: IOS 15.2
支持Supported 支持Supported
CiscoCisco CSRCSR RouteBased:IOS-XE 16.10RouteBased: IOS-XE 16.10 配置脚本Configuration script
CiscoCisco ISRISR PolicyBased:IOS 15.0PolicyBased: IOS 15.0
RouteBased*:IOS 15.1RouteBased*: IOS 15.1
支持Supported 支持Supported
CiscoCisco MerakiMeraki 不可用N/A 不兼容Not compatible 不兼容Not compatible
CitrixCitrix NetScaler MPX、SDX、VPXNetScaler MPX, SDX, VPX 10.1 及以上10.1 and above 配置指南Configuration guide 不兼容Not compatible
F5F5 BIG-IP 系列BIG-IP series 12.012.0 配置指南Configuration guide 配置指南Configuration guide
FortinetFortinet FortiGateFortiGate FortiOS 5.6FortiOS 5.6 配置指南Configuration guide
Internet Initiative Japan (IIJ)Internet Initiative Japan (IIJ) SEIL 系列SEIL Series SEIL/X 4.60SEIL/X 4.60
SEIL/B1 4.60SEIL/B1 4.60
SEIL/x86 3.20SEIL/x86 3.20
配置指南Configuration guide 不兼容Not compatible
JuniperJuniper SRXSRX PolicyBased:JunOS 10.2PolicyBased: JunOS 10.2
Routebased:JunOS 11.4Routebased: JunOS 11.4
支持Supported 配置脚本Configuration script
JuniperJuniper J 系列J-Series PolicyBased:JunOS 10.4r9PolicyBased: JunOS 10.4r9
RouteBased:JunOS 11.4RouteBased: JunOS 11.4
支持Supported 配置脚本Configuration script
JuniperJuniper ISGISG ScreenOS 6.3ScreenOS 6.3 支持Supported 配置脚本Configuration script
JuniperJuniper SSGSSG ScreenOS 6.2ScreenOS 6.2 支持Supported 配置脚本Configuration script
JuniperJuniper MXMX JunOS 12.xJunOS 12.x 支持Supported 配置脚本Configuration script
MicrosoftMicrosoft 路由和远程访问服务Routing and Remote Access Service Windows Server 2012Windows Server 2012 不兼容Not compatible 支持Supported
打开系统 AGOpen Systems AG 任务控制安全网关Mission Control Security Gateway 不可用N/A 配置指南Configuration guide 不兼容Not compatible
Palo Alto NetworksPalo Alto Networks 运行 PAN-OS 的所有设备All devices running PAN-OS PAN-OSPAN-OS
PolicyBased:6.1.5 或更高版本PolicyBased: 6.1.5 or later
RouteBased:7.1.4RouteBased: 7.1.4
配置指南Configuration guide 配置指南Configuration guide
ShareTechShareTech Next Generation UTM(NU 系列)Next Generation UTM (NU series) 9.0.1.39.0.1.3 不兼容Not compatible 配置指南Configuration guide
SonicWallSonicWall TZ 系列、NSA 系列TZ Series, NSA Series
SuperMassive 系列SuperMassive Series
E 类 NSA 系列E-Class NSA Series
SonicOS 5.8.xSonicOS 5.8.x
SonicOS 5.9.xSonicOS 5.9.x
SonicOS 6.xSonicOS 6.x
不兼容Not compatible 配置指南Configuration guide
SophosSophos XG 下一代防火墙XG Next Gen Firewall XG v17XG v17 配置指南Configuration guide

配置指南 - 多个 SAConfiguration guide - Multiple SAs
SynologySynology MR2200acMR2200ac
RT2600acRT2600ac
RT1900acRT1900ac
SRM1.1.5/VpnPlusServer-1.2.0SRM1.1.5/VpnPlusServer-1.2.0 配置指南Configuration Guide
UbiquitiUbiquiti EdgeRouterEdgeRouter EdgeOS v1.10EdgeOS v1.10 基于 IKEv2/IPsec 的BGPBGP over IKEv2/IPsec

基于 IKEv2/IPsec 的 VTIVTI over IKEv2/IPsec
WatchGuardWatchGuard AllAll Fireware XTMFireware XTM
PolicyBased:v11.11.xPolicyBased: v11.11.x
RouteBased:v11.12.xRouteBased: v11.12.x
配置指南Configuration guide 配置指南Configuration guide
ZyxelZyxel ZyWALL USG 系列ZyWALL USG series
ZyWALL ATP 系列ZyWALL ATP series
ZyWALL VPN 系列ZyWALL VPN series
ZLD v4.32+ZLD v4.32+ 基于 IKEv2/IPsec 的 VTIVTI over IKEv2/IPsec
基于 IKEv2/IPsec 的BGPBGP over IKEv2/IPsec

备注

(*) Cisco ASA 版本 8.4+ 增加了 IKEv2 支持,可以通过“UsePolicyBasedTrafficSelectors”选项使用自定义 IPsec/IKE 策略连接到 Azure VPN 网关。(*) Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with "UsePolicyBasedTrafficSelectors" option. 请参阅此操作说明文章Refer to this how-to article.

(**) ISR 7200 系列路由器仅支持 PolicyBased VPN。(**) ISR 7200 Series routers only support PolicyBased VPNs.

从 Azure 下载 VPN 设备配置脚本Download VPN device configuration scripts from Azure

对于某些设备,你可以直接从 Azure 下载配置脚本。For certain devices, you can download configuration scripts directly from Azure. 有关详细信息和下载说明,请参阅下载 VPN 设备配置脚本For more information and download instructions, see Download VPN device configuration scripts.

具有可用配置脚本的设备Devices with available configuration scripts

供应商Vendor 设备系列Device family 固件版本Firmware version
CiscoCisco ISRISR IOS 15.1(预览版)IOS 15.1 (Preview)
CiscoCisco ASAASA ASA ( * ) RouteBased(IKEv2- 无 BGP),对于低于 9.8 版的 ASAASA ( * ) RouteBased (IKEv2- No BGP) for ASA below 9.8
CiscoCisco ASAASA ASA RouteBased(IKEv2 - 无 BGP),对于 ASA 9.8+ASA RouteBased (IKEv2 - No BGP) for ASA 9.8+
JuniperJuniper SRX_GASRX_GA 12.x12.x
JuniperJuniper SSG_GASSG_GA ScreenOS 6.2.xScreenOS 6.2.x
JuniperJuniper JSeries_GAJSeries_GA JunOS 12.xJunOS 12.x
JuniperJuniper SRXSRX JunOS 12.x RouteBased BGPJunOS 12.x RouteBased BGP
UbiquitiUbiquiti EdgeRouterEdgeRouter EdgeOS v1.10x RouteBased VTIEdgeOS v1.10x RouteBased VTI
UbiquitiUbiquiti EdgeRouterEdgeRouter EdgeOS v1.10x RouteBased BGPEdgeOS v1.10x RouteBased BGP

备注

(*) 必需:NarrowAzureTrafficSelectors(启用 UsePolicyBasedTrafficSelectors 选项)和 CustomAzurePolicies (IKE/IPsec)( * ) Required: NarrowAzureTrafficSelectors (enable UsePolicyBasedTrafficSelectors option) and CustomAzurePolicies (IKE/IPsec)

非验证的 VPN 设备Non-validated VPN devices

即使没有看到设备在“已验证的 VPN 设备”表列出中,该设备也有可能适用于站点到站点连接。If you don’t see your device listed in the Validated VPN devices table, your device still may work with a Site-to-Site connection. 请联系设备制造商,了解更多支持和配置说明。Contact your device manufacturer for additional support and configuration instructions.

编辑设备配置示例Editing device configuration samples

在下载提供的 VPN 设备配置示例后,需要替换一些值来反映你环境的设置。After you download the provided VPN device configuration sample, you’ll need to replace some of the values to reflect the settings for your environment.

编辑示例的步骤:To edit a sample:

  1. 使用记事本打开示例。Open the sample using Notepad.
  2. 搜索所有 <text> 字符串并将其替换为与环境相关的值。Search and replace all <text> strings with the values that pertain to your environment. 请确保包含 < 和 >。Be sure to include < and >. 指定名称时,选择的名称应是唯一的。When a name is specified, the name you select should be unique. 如果命令无效,请查看设备制造商文档。If a command does not work, consult your device manufacturer documentation.
示例文本Sample text 更改为Change to
<RP_OnPremisesNetwork><RP_OnPremisesNetwork> 为此对象选择的名称。Your chosen name for this object. 示例:myOnPremisesNetworkExample: myOnPremisesNetwork
<RP_AzureNetwork><RP_AzureNetwork> 为此对象选择的名称。Your chosen name for this object. 示例:myAzureNetworkExample: myAzureNetwork
<RP_AccessList><RP_AccessList> 为此对象选择的名称。Your chosen name for this object. 示例:myAzureAccessListExample: myAzureAccessList
<RP_IPSecTransformSet><RP_IPSecTransformSet> 为此对象选择的名称。Your chosen name for this object. 示例:myIPSecTransformSetExample: myIPSecTransformSet
<RP_IPSecCryptoMap><RP_IPSecCryptoMap> 为此对象选择的名称。Your chosen name for this object. 示例:myIPSecCryptoMapExample: myIPSecCryptoMap
<SP_AzureNetworkIpRange><SP_AzureNetworkIpRange> 指定范围。Specify range. 例如:192.168.0.0Example: 192.168.0.0
<SP_AzureNetworkSubnetMask><SP_AzureNetworkSubnetMask> 指定子网掩码。Specify subnet mask. 例如:255.255.0.0Example: 255.255.0.0
<SP_OnPremisesNetworkIpRange><SP_OnPremisesNetworkIpRange> 指定本地范围。Specify on-premises range. 例如:10.2.1.0Example: 10.2.1.0
<SP_OnPremisesNetworkSubnetMask><SP_OnPremisesNetworkSubnetMask> 指定本地子网掩码。Specify on-premises subnet mask. 例如:255.255.255.0Example: 255.255.255.0
<SP_AzureGatewayIpAddress><SP_AzureGatewayIpAddress> 此信息特定于虚拟网络,位于管理门户的“网关 IP 地址” 中。This information specific to your virtual network and is located in the Management Portal as Gateway IP address.
<SP_PresharedKey><SP_PresharedKey> 此信息特定于虚拟网络,位于管理门户的“管理密钥”中。This information is specific to your virtual network and is located in the Management Portal as Manage Key.

IPsec/IKE 参数IPsec/IKE parameters

重要

  1. 下面各表包含了 Azure VPN 网关在默认配置中使用的算法和参数的组合。The tables below contain the combinations of algorithms and parameters Azure VPN gateways use in default configuration. 对于使用 Azure 资源管理器部署模型创建的基于路由的 VPN 网关,可以在每个单独的连接上指定一个自定义策略。For route-based VPN gateways created using the Azure Resource Management deployment model, you can specify a custom policy on each individual connection. 有关详细说明,请参阅配置 IPsec/IKE 策略Please refer to Configure IPsec/IKE policy for detailed instructions.

  2. 此外,还必须将 TCP MSS 固定在 1350In addition, you must clamp TCP MSS at 1350. 或者,如果 VPN 设备不支持 MSS 固定,则可以改为在隧道接口上将 MTU 设置为 1400 字节。Or if your VPN devices do not support MSS clamping, you can alternatively set the MTU on the tunnel interface to 1400 bytes instead.

在下面的表中:In the following tables:

  • SA = 安全关联SA = Security Association
  • IKE 阶段 1 也称“主模式”IKE Phase 1 is also called "Main Mode"
  • IKE 阶段 2 也称“快速模式”IKE Phase 2 is also called "Quick Mode"

IKE 阶段 1(主模式)参数IKE Phase 1 (Main Mode) parameters

属性Property PolicyBasedPolicyBased RouteBasedRouteBased
SDK 版本IKE Version IKEv1IKEv1 IKEv2IKEv2
Diffie-Hellman 组Diffie-Hellman Group 组 2(1024 位)Group 2 (1024 bit) 组 2(1024 位)Group 2 (1024 bit)
身份验证方法Authentication Method 预共享密钥Pre-Shared Key 预共享密钥Pre-Shared Key
加密和哈希算法Encryption & Hashing Algorithms 1.AES256、SHA2561. AES256, SHA256
2.AES256、SHA12. AES256, SHA1
3.AES128、SHA13. AES128, SHA1
4. 3DES、SHA14. 3DES, SHA1
1.AES256、SHA11. AES256, SHA1
2.AES256、SHA2562. AES256, SHA256
3.AES128、SHA13. AES128, SHA1
4.AES128、SHA2564. AES128, SHA256
5. 3DES、SHA15. 3DES, SHA1
6. 3DES、SHA2566. 3DES, SHA256
SA 生存期SA Lifetime 28,800 秒28,800 seconds 28,800 秒28,800 seconds

IKE 阶段 2(快速模式)参数IKE Phase 2 (Quick Mode) parameters

属性Property PolicyBasedPolicyBased RouteBasedRouteBased
SDK 版本IKE Version IKEv1IKEv1 IKEv2IKEv2
加密和哈希算法Encryption & Hashing Algorithms 1.AES256、SHA2561. AES256, SHA256
2.AES256、SHA12. AES256, SHA1
3.AES128、SHA13. AES128, SHA1
4. 3DES、SHA14. 3DES, SHA1
RouteBased QM SA 产品/服务RouteBased QM SA Offers
SA 生存期(时间)SA Lifetime (Time) 3,600 秒3,600 seconds 27,000 秒27,000 seconds
SA 生存期(字节数)SA Lifetime (Bytes) 102,400,000 KB102,400,000 KB -
完全向前保密 (PFS)Perfect Forward Secrecy (PFS) No RouteBased QM SA 产品/服务RouteBased QM SA Offers
死对等体检测 (DPD)Dead Peer Detection (DPD) 不支持Not supported 支持Supported

RouteBased VPN IPsec 安全关联(IKE 快速模式 SA)产品/服务RouteBased VPN IPsec Security Association (IKE Quick Mode SA) Offers

下表列出了 IPsec SA(IKE 快速模式)产品/服务。The following table lists IPsec SA (IKE Quick Mode) Offers. 这些产品按提供或接受产品的偏好顺序列出。Offers are listed the order of preference that the offer is presented or accepted.

Azure 网关作为发起方Azure Gateway as initiator

- 加密Encryption 身份验证Authentication PFS 组PFS Group
11 GCM AES256GCM AES256 GCM (AES256)GCM (AES256) None
22 AES256AES256 SHA1SHA1 None
33 3DES3DES SHA1SHA1 None
44 AES256AES256 SHA256SHA256 None
55 AES128AES128 SHA1SHA1 None
66 3DES3DES SHA256SHA256 None

Azure 网关作为响应方Azure Gateway as responder

- 加密Encryption 身份验证Authentication PFS 组PFS Group
11 GCM AES256GCM AES256 GCM (AES256)GCM (AES256) None
22 AES256AES256 SHA1SHA1 None
33 3DES3DES SHA1SHA1 None
44 AES256AES256 SHA256SHA256 None
55 AES128AES128 SHA1SHA1 None
66 3DES3DES SHA256SHA256 None
77 DESDES SHA1SHA1 None
88 AES256AES256 SHA1SHA1 11
99 AES256AES256 SHA1SHA1 22
1010 AES256AES256 SHA1SHA1 1414
1111 AES128AES128 SHA1SHA1 11
1212 AES128AES128 SHA1SHA1 22
1313 AES128AES128 SHA1SHA1 1414
1414 3DES3DES SHA1SHA1 11
1515 3DES3DES SHA1SHA1 22
1616 3DES3DES SHA256SHA256 22
1717 AES256AES256 SHA256SHA256 11
1818 AES256AES256 SHA256SHA256 22
1919 AES256AES256 SHA256SHA256 1414
2020 AES256AES256 SHA1SHA1 2424
2121 AES256AES256 SHA256SHA256 2424
2222 AES128AES128 SHA256SHA256 None
2323 AES128AES128 SHA256SHA256 11
2424 AES128AES128 SHA256SHA256 22
2525 AES128AES128 SHA256SHA256 1414
2626 3DES3DES SHA1SHA1 1414
  • 可以使用 RouteBased 和 HighPerformance VPN 网关指定 IPsec ESP NULL 加密。You can specify IPsec ESP NULL encryption with RouteBased and HighPerformance VPN gateways. 基于 Null 的加密不对传输中的数据提供保护,仅应在需要最大吞吐量和最小延迟时才使用。Null based encryption does not provide protection to data in transit, and should only be used when maximum throughput and minimum latency is required. 客户端可以在 VNet 到 VNet 通信方案中选择使用此方法,或者在解决方案中的其他位置应用加密时使用此方法。Clients may choose to use this in VNet-to-VNet communication scenarios, or when encryption is being applied elsewhere in the solution.
  • 若要通过 Internet 建立跨界连接,请使用默认的 Azure VPN 网关设置以及上表中列出的加密和哈希算法,确保关键通信的安全性。For cross-premises connectivity through the Internet, use the default Azure VPN gateway settings with encryption and hashing algorithms listed in the tables above to ensure security of your critical communication.

已知的设备兼容性问题Known device compatibility issues

重要

这些是第三方 VPN 设备与 Azure VPN 网关之间的已知兼容性问题。These are the known compatibility issues between third-party VPN devices and Azure VPN gateways. Azure 团队正积极与供应商合作解决此处列出的问题。The Azure team is actively working with the vendors to address the issues listed here. 解决问题后,将使用最新的信息更新此页。Once the issues are resolved, this page will be updated with the most up-to-date information. 请定期查看。Please check back periodically.

2017 年 2 月 16 日Feb. 16, 2017

早于 7.1.4 版的 Palo Alto Networks 设备(针对 Azure 基于路由的 VPN):如果使用的是早于 7.1.4 版的 Palo Alto Networks VPN 设备,并且遇到 Azure 基于路由的 VPN 网关的连接问题,请执行以下步骤:Palo Alto Networks devices with version prior to 7.1.4 for Azure route-based VPN: If you are using VPN devices from Palo Alto Networks with PAN-OS version prior to 7.1.4 and are experiencing connectivity issues to Azure route-based VPN gateways, perform the following steps:

  1. 检查 Palo Alto Networks 设备的固件版本。Check the firmware version of your Palo Alto Networks device. 如果 PAN-OS 版本低于 7.1.4,请升级到 7.1.4。If your PAN-OS version is older than 7.1.4, upgrade to 7.1.4.
  2. 连接到 Azure VPN 网关时,请在 Palo Alto Networks 设备上将阶段 2 SA(或快速模式 SA)生存期更改为 28,800 秒(8 小时)。On the Palo Alto Networks device, change the Phase 2 SA (or Quick Mode SA) lifetime to 28,800 seconds (8 hours) when connecting to the Azure VPN gateway.
  3. 如果仍然遇到连接问题,请从 Azure 门户开具支持请求票证。If you are still experiencing connectivity issues, open a support request from the Azure portal.