設定站對站 VPN 連線的 IPsec/IKE 原則Configure IPsec/IKE policy for site-to-site VPN connections

本文會逐步說明用來為 Azure Stack Hub 中的站對站 (S2S) VPN 設定 IPsec/IKE 原則的步驟。This article walks through the steps to configure an IPsec/IKE policy for site-to-site (S2S) VPN connections in Azure Stack Hub.

注意

您必須執行 Azure Stack Hub 組建 1809 或更新版本,才能使用這項功能。You must be running Azure Stack Hub build 1809 or later to use this feature. 如果您目前執行 1809 之前的組建,請先將您的 Azure Stack Hub 系統更新為最新組建,再繼續進行本文中的步驟。If you're currently running a build prior to 1809, update your Azure Stack Hub system to the latest build before proceeding with the steps in this article.

VPN 閘道的 IPsec 和 IKE 原則參數IPsec and IKE policy parameters for VPN gateways

IPsec 和 IKE 通訊協定標準支援各種不同的密碼編譯演算法的各種組合。The IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations. 若要了解 Azure Stack Hub 中所支援的參數以便滿足合規性或安全性需求,請參閱 IPsec/IKE 參數To see which parameters are supported in Azure Stack Hub so you can satisfy your compliance or security requirements, see IPsec/IKE parameters.

本文會指導您建立和設定 IPsec/IKE 原則,並將其套用至新的或現有的連線。This article provides instructions on how to create and configure an IPsec/IKE policy and apply it to a new or existing connection.

考量Considerations

在使用這些原則時,請注意下列重要事項:Note the following important considerations when using these policies:

  • IPsec/IKE 原則只適用於 Standard 和 HighPerformance (路由式) 閘道 SKU。The IPsec/IKE policy only works on the Standard and HighPerformance (route-based) gateway SKUs.

  • 您只能針對給定的連線指定一個原則組合。You can only specify one policy combination for a given connection.

  • 您必須同時對 IKE (主要模式) 和 IPsec (快速模式) 指定所有的演算法和參數。You must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). 系統不允許只指定一部分原則。Partial policy specification is not allowed.

  • 請確認 VPN 裝置廠商規格,確保內部部署 VPN 裝置支援原則。Consult with your VPN device vendor specifications to ensure the policy is supported on your on-premises VPN devices. 如果原則不相容,則無法建立站對站連線。Site-to-site connections cannot be established if the policies are incompatible.

PrerequisitesPrerequisites

開始之前,請先確定您已擁有下列必要條件:Before you begin, make sure you have the following prerequisites:

第 1 部分 - 建立和設定 IPsec/IKE 原則Part 1 - Create and set IPsec/IKE policy

本節說明對站對站 VPN 連線建立和更新 IPsec/IKE 原則時所須執行的步驟:This section describes the steps required to create and update the IPsec/IKE policy on a site-to-site VPN connection:

  1. 建立虛擬網路和 VPN 閘道。Create a virtual network and a VPN gateway.

  2. 為跨單位連線建立區域網路閘道。Create a local network gateway for cross-premises connection.

  3. 使用選取的演算法和參數建立 IPsec/IKE 原則。Create an IPsec/IKE policy with selected algorithms and parameters.

  4. 使用 IPsec/IKE 原則建立 IPsec 連線。Create an IPSec connection with the IPsec/IKE policy.

  5. 新增/更新/移除現有連線的 IPsec/IKE 原則。Add/update/remove an IPsec/IKE policy for an existing connection.

本文中的指示可協助您安裝和設定 IPsec/IKE 原則,如下圖所示:The instructions in this article help you set up and configure IPsec/IKE policies, as shown in the following figure:

安裝和設定 IPsec/IKE 原則

第 2 部分 - 支援的密碼編譯演算法和金鑰長度Part 2 - Supported cryptographic algorithms and key strengths

下表列出可供 Azure Stack Hub 設定的支援密碼編譯演算法和金鑰強度:The following table lists the supported cryptographic algorithms and key strengths configurable by Azure Stack Hub:

IPsec/IKEv2IPsec/IKEv2 選項。Options
IKEv2 加密IKEv2 Encryption AES256、AES192、AES128、DES3、DESAES256, AES192, AES128, DES3, DES
IKEv2 完整性IKEv2 Integrity SHA384、SHA256、SHA1、MD5SHA384, SHA256, SHA1, MD5
DH 群組DH Group ECP384、DHGroup14、DHGroup2、DHGroup1、ECP256 、DHGroup24ECP384, DHGroup14, DHGroup2, DHGroup1, ECP256 , DHGroup24
IPsec 加密IPsec Encryption GCMAES256、GCMAES192、GCMAES128、AES256、AES192、AES128、DES3、DES、無GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None
IPsec 完整性IPsec Integrity GCMAES256、GCMAES192、GCMAES128GCMAES256, GCMAES192, GCMAES128
PFS 群組PFS Group PFS24、ECP384、ECP256、PFS2048、PFS2、PFS1、PFSMM、無PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, PFSMM, None
QM SA 存留期QM SA Lifetime (選擇性:如果未指定,即會使用預設值)(Optional: default values are used if not specified)
秒 (整數;最小 300/預設值 27000 秒)Seconds (integer; min. 300/default 27000 seconds)
KB 數 (整數;最小 1024/預設值 102400000 KB 數)KBytes (integer; min. 1024/default 102400000 KBytes)
流量選取器Traffic Selector Azure Stack Hub 不支援原則式流量選取器。Policy-based Traffic Selectors are not supported in Azure Stack Hub.

* 這些參數只能在組建2002和更新版本中使用。* These parameters are only available in builds 2002 and above.

  • 內部部署 VPN 裝置組態必須符合或包含您在 Azure IPsec/IKE 原則中指定的下列演算法和參數︰Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy:

    • IKE 加密演算法 (主要模式/第 1 階段)。IKE encryption algorithm (Main Mode/Phase 1).
    • IKE 完整性演算法 (主要模式/第 1 階段)。IKE integrity algorithm (Main Mode/Phase 1).
    • DH 群組 (主要模式/第 1 階段)。DH Group (Main Mode/Phase 1).
    • IPsec 加密演算法 (快速模式/第 2 階段)。IPsec encryption algorithm (Quick Mode/Phase 2).
    • IPsec 完整性演算法 (快速模式/第 2 階段)。IPsec integrity algorithm (Quick Mode/Phase 2).
    • PFS 群組 (快速模式/第 2 階段)。PFS Group (Quick Mode/Phase 2).
    • SA 存留期僅為本機規格,並不需要相符。The SA lifetimes are local specifications only and do not need to match.
  • 如果以 GCMAES 作為 IPsec 加密演算法,您必須基於 IPsec 完整性選取相同的 GCMAES 演算法和金鑰長度;例如,兩者都使用 GCMAES128。If GCMAES is used as the IPsec encryption algorithm, you must select the same GCMAES algorithm and key length for IPsec integrity; for example, using GCMAES128 for both.

  • 在上表中:In the preceding table:

    • IKEv2 會對應到主要模式或第 1 階段。IKEv2 corresponds to Main Mode or Phase 1.
    • IPsec 會對應到快速模式或第 2 階段。IPsec corresponds to Quick Mode or Phase 2.
    • DH 群組會指定在主要模式或第 1 階段中使用的 Diffie-Hellmen 群組。DH Group specifies the Diffie-Hellmen Group used in Main Mode or Phase 1.
    • PFS 群組會指定在快速模式或第 2 階段中使用的 Diffie-Hellmen 群組。PFS Group specifies the Diffie-Hellmen Group used in Quick Mode or Phase 2.
  • Azure Stack Hub VPN 閘道的 IKEv2 主要模式 SA 存留期會固定為 28,800 秒。IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure Stack Hub VPN gateways.

下表列出自訂原則所支援的對應 Diffie-Hellman 群組:The following table lists the corresponding Diffie-Hellman Groups supported by the custom policy:

Diffie-Hellman 群組Diffie-Hellman Group DHGroupDHGroup PFSGroupPFSGroup 金鑰長度Key length
11 DHGroup1DHGroup1 PFS1PFS1 768 位元 MODP768-bit MODP
22 DHGroup2DHGroup2 PFS2PFS2 1024 位元 MODP1024-bit MODP
1414 DHGroup14DHGroup14
DHGroup2048DHGroup2048
PFS2048PFS2048 2048 位元 MODP2048-bit MODP
1919 ECP256ECP256* ECP256ECP256 256 位元 ECP256-bit ECP
2020 ECP384ECP384 ECP384ECP384 384 位元 ECP384-bit ECP
2424 DHGroup24DHGroup24* PFS24PFS24 2048 位元 MODP2048-bit MODP

* 這些參數只能在組建2002和更新版本中使用。* These parameters are only available in builds 2002 and above.

如需詳細資訊,請參閱 RFC3526RFC5114For more information, see RFC3526 and RFC5114.

第 3 部分 - 使用 IPsec/IKE 原則建立新的站對站 VPN 連線Part 3 - Create a new site-to-site VPN connection with IPsec/IKE policy

本節將逐步引導您使用 IPsec/IKE 原則來建立站對站 VPN 連線。This section walks through the steps to create a site-to-site VPN connection with an IPsec/IKE policy. 下列步驟將建立連線,如下圖所示:The following steps create the connection, as shown in the following figure:

site-to-site-policy

如需如何建立站對站 VPN 連線的詳細逐步指示,請參閱建立站對站 VPN 連線For more detailed step-by-step instructions for creating a site-to-site VPN connection, see Create a site-to-site VPN connection.

步驟1 - 建立虛擬網路、VPN 閘道和區域網路閘道Step 1 - Create the virtual network, VPN gateway, and local network gateway

1.宣告變數1. Declare variables

對於此練習,一開始請先宣告下列變數。For this exercise, start by declaring the following variables. 在針對生產環境進行設定時,請務必使用您自己的值取代預留位置:Be sure to replace the placeholders with your own values when configuring for production:

$Sub1 = "<YourSubscriptionName>"
$RG1 = "TestPolicyRG1"
$Location1 = "East US 2"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GW1IPName1 = "VNet1GWIP1"
$GW1IPconf1 = "gw1ipconf1"
$Connection16 = "VNet1toSite6"
$LNGName6 = "Site6"
$LNGPrefix61 = "10.61.0.0/16"
$LNGPrefix62 = "10.62.0.0/16"
$LNGIP6 = "131.107.72.22"

2.連接至您的訂用帳戶並建立新的資源群組2. Connect to your subscription and create a new resource group

請確定您切換為 PowerShell 模式以使用資源管理員 Cmdlet。Make sure you switch to PowerShell mode to use the Resource Manager cmdlets. 如需詳細資訊,請參閱以使用者的身分使用 PowerShell 連線到 Azure Stack HubFor more information, see Connect to Azure Stack Hub with PowerShell as a user.

開啟 PowerShell 主控台並連接到您的帳戶,例如:Open your PowerShell console and connect to your account; for example:

Connect-AzAccount
Select-AzSubscription -SubscriptionName $Sub1
New-AzResourceGroup -Name $RG1 -Location $Location1

3.建立虛擬網路、VPN 閘道和區域網路閘道3. Create the virtual network, VPN gateway, and local network gateway

下列範例會建立 TestVNet1 虛擬網路以及三個子網路和 VPN 閘道。The following example creates the virtual network, TestVNet1, along with three subnets and the VPN gateway. 在替代值時,請務必將閘道子網路具體命名為 GatewaySubnetWhen substituting values, it's important that you specifically name your gateway subnet GatewaySubnet. 如果您將其命名為其他名稱,閘道建立會失敗。If you name it something else, your gateway creation fails.

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1
$besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
$gwsub1 = New-AzVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1

New-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 -Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1

$gw1pip1 = New-AzPublicIpAddress -Name $GW1IPName1 -ResourceGroupName $RG1 -Location $Location1 -AllocationMethod Dynamic

$vnet1 = Get-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1

$subnet1 = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" `
-VirtualNetwork $vnet1

$gw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GW1IPconf1 `
-Subnet $subnet1 -PublicIpAddress $gw1pip1

New-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 `
-Location $Location1 -IpConfigurations $gw1ipconf1 -GatewayType Vpn `
-VpnType RouteBased -GatewaySku VpnGw1

New-AzLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1 `
-Location $Location1 -GatewayIpAddress $LNGIP6 -AddressPrefix `
$LNGPrefix61,$LNGPrefix62

步驟 2 - 使用 IPsec/IKE 原則建立站對站 VPN 連線Step 2 - Create a site-to-site VPN connection with an IPsec/IKE policy

1.建立 IPsec/IKE 原則1. Create an IPsec/IKE policy

此範例指令碼會使用下列演算法和參數來建立 IPsec/IKE 原則:This sample script creates an IPsec/IKE policy with the following algorithms and parameters:

  • IKEv2:AES128、SHA1、DHGroup14IKEv2: AES128, SHA1, DHGroup14
  • IPsec:AES256、SHA256、無、SA 存留期 14400 秒和 102400000 KBIPsec: AES256, SHA256, none, SA Lifetime 14400 seconds, and 102400000KB
$ipsecpolicy6 = New-AzIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup none -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

如果您針對 IPsec 使用 GCMAES,就必須針對 IPsec 加密和完整性使用相同的 GCMAES 演算法和金鑰長度。If you use GCMAES for IPsec, you must use the same GCMAES algorithm and key length for both IPsec encryption and integrity.

2.使用 IPsec/IKE 原則建立站對站 VPN 連線2. Create the site-to-site VPN connection with the IPsec/IKE policy

建立站對站 VPN 連線,並套用先前所建立的 IPsec/IKE 原則:Create a site-to-site VPN connection and apply the IPsec/IKE policy you created previously:

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1

New-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -IpsecPolicies $ipsecpolicy6 -SharedKey 'Azs123'

重要

在連線上指定 IPsec/IKE 原則之後,Azure VPN 閘道只會傳送或接受該特定連線上的 IPsec/IKE 提案,而提案具有所指定的密碼編譯演算法和金鑰長度。Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway only sends or accepts the IPsec/IKE proposal with specified cryptographic algorithms and key strengths on that particular connection. 確定連線的內部部署 VPN 裝置使用或接受確切原則組合,否則無法建立站對站 VPN 通道。Make sure your on-premises VPN device for the connection uses or accepts the exact policy combination, otherwise the site-to-site VPN tunnel cannot be established.

第 4 部分 - 更新連線的 IPsec/IKE 原則Part 4 - Update IPsec/IKE policy for a connection

上一節說明了如何管理現有站對站連線的 IPsec/IKE 原則。The previous section showed how to manage IPsec/IKE policy for an existing site-to-site connection. 這一節會逐步引導您在連線上進行下列作業:This section walks through the following operations on a connection:

  • 顯示連線的 IPsec/IKE 原則。Show the IPsec/IKE policy of a connection.
  • 新增或更新連線的 IPsec/IKE 原則。Add or update the IPsec/IKE policy to a connection.
  • 移除連線的 IPsec/IKE 原則。Remove the IPsec/IKE policy from a connection.

注意

只有 Standard 和 HighPerformance 以路由為基礎的 VPN 閘道才支援 IPsec/IKE 原則。IPsec/IKE policy is supported on Standard and HighPerformance route-based VPN gateways only. Basic 閘道 SKU 則不適用。It does not work on the Basic gateway SKU.

1.顯示連線的 IPsec/IKE 原則1. Show the IPsec/IKE policy of a connection

下列範例示範如何取得連線上所設定的 IPsec/IKE 原則。The following example shows how to get the IPsec/IKE policy configured on a connection. 腳本也會從先前的練習繼續。The scripts also continue from the previous exercises.

$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.IpsecPolicies

最後一個命令會列出連線上所設定的目前 IPsec/IKE 原則 (如果有的話)。The last command lists the current IPsec/IKE policy configured on the connection, if any. 下列範例是連線的範例輸出:The following example is a sample output for the connection:

SALifeTimeSeconds : 14400
SADataSizeKilobytes : 102400000
IpsecEncryption : AES256
IpsecIntegrity : SHA256
IkeEncryption : AES128
IkeIntegrity : SHA1
DhGroup : DHGroup14
PfsGroup : None

如果未設定任何 IPsec/IKE 原則,$connection6.policy 命令會收到空白傳回。If there's no IPsec/IKE policy configured, the command $connection6.policy gets an empty return. 這並不表示連線上未設定 IPsec/IKE;其意義是沒有自訂的 IPsec/IKE 原則。It does not mean that IPsec/IKE isn't configured on the connection; it means there's no custom IPsec/IKE policy. 實際連線會使用內部部署 VPN 裝置與 Azure VPN 閘道之間交涉的預設原則。The actual connection uses the default policy negotiated between your on-premises VPN device and the Azure VPN gateway.

2.新增或更新連線的 IPsec/IKE 原則2. Add or update an IPsec/IKE policy for a connection

在連線上新增原則或更新現有原則的步驟相同:建立新的原則,然後將新的原則套用至連線:The steps to add a new policy or update an existing policy on a connection are the same: create a new policy, then apply the new policy to the connection:

$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1

$newpolicy6 = New-AzIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

$connection6.SharedKey = "AzS123"

Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -IpsecPolicies $newpolicy6

您可以再次取得連線,以檢查是否已更新原則:You can get the connection again to check if the policy is updated:

$connection6 = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.IpsecPolicies

您應該會在最後一行看到輸出,如下列範例所示:You should see the output from the last line, as shown in the following example:

SALifeTimeSeconds : 14400
SADataSizeKilobytes : 102400000
IpsecEncryption : AES256
IpsecIntegrity : SHA256
IkeEncryption : AES128
IkeIntegrity : SHA1
DhGroup : DHGroup14
PfsGroup : None

3.移除連線的 IPsec/IKE 原則3. Remove an IPsec/IKE policy from a connection

移除連線的自訂原則後,Azure VPN 閘道會回復為使用預設的 IPsec/IKE 提案,並與內部部署 VPN 裝置重新進行交涉。After you remove the custom policy from a connection, the Azure VPN gateway reverts to the default IPsec/IKE proposal, and renegotiates with your on-premises VPN device.

$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.SharedKey = "AzS123"
$currentpolicy = $connection6.IpsecPolicies[0]
$connection6.IpsecPolicies.Remove($currentpolicy)

Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6

您可以使用相同的指令碼,以檢查是否已從連線中移除原則。You can use the same script to check if the policy has been removed from the connection.

後續步驟Next steps