關於點對站 VPNAbout Point-to-Site VPN

點對站 (P2S) VPN 閘道連線可讓您建立從個別用戶端電腦到您的虛擬網路的安全連線。A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. P2S 連線的建立方式是從用戶端電腦開始。A P2S connection is established by starting it from the client computer. 此解決方案適合於想要從遠端位置 (例如從住家或會議) 連線到 Azure VNet 的遠距工作者。This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. 當您只有少數用戶端必須連線至 VNet 時,P2S VPN 也是很實用的解決方案 (而不是 S2S VPN)。P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet. 本文適用於資源管理員部署模型。This article applies to the Resource Manager deployment model.

P2S 使用何種通訊協定?What protocol does P2S use?

店對站 VPN 可以使用下列其中一個通訊協定:Point-to-site VPN can use one of the following protocols:

  • OpenVPN®通訊協定,這是以 SSL/TLS 為基礎的 VPN 通訊協定。OpenVPN® Protocol, an SSL/TLS based VPN protocol. TLS VPN 解決方案可以滲透防火牆,因為大部分的防火牆都會開啟 TCP 埠443輸出(TLS 使用的埠)。A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN 可用於從 Android、iOS (11.0 版和更新版本) 、Windows、Linux 和 Mac 裝置, (OSX 10.13 版和更新版本) 。OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (OSX versions 10.13 and above).

  • (SSTP) 的安全通訊端通道通訊協定,這是一種專屬的 TLS 型 VPN 通訊協定。Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. TLS VPN 解決方案可以滲透防火牆,因為大部分的防火牆都會開啟 TCP 埠443輸出(TLS 使用的埠)。A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP 僅在 Microsoft 裝置上提供支援。SSTP is only supported on Windows devices. Azure 支援所有具有 SSTP (Windows 7 及更新版本) 的 Windows 版本。Azure supports all versions of Windows that have SSTP (Windows 7 and later).

  • IKEv2 VPN,標準型 IPsec VPN 解決方案。IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN 可用於從 Mac 裝置連線 (OSX 版本 10.11 和更新版本)。IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).

注意

適用於 P2S 的 IKEv2 與 OpenVPN 僅供 Resource Manager 部署模型使用,IKEv2 and OpenVPN for P2S are available for the Resource Manager deployment model only. 不適用於傳統部署模型。They are not available for the classic deployment model.

P2S VPN 用戶端的驗證方式How are P2S VPN clients authenticated?

在 Azure 接受 P2S VPN 連線之前,使用者必須先進行驗證。Before Azure accepts a P2S VPN connection, the user has to be authenticated first. Azure 提供兩個機制來驗證連線使用者。There are two mechanisms that Azure offers to authenticate a connecting user.

使用原生 Azure 憑證驗證進行驗證Authenticate using native Azure certificate authentication

使用原生 Azure 憑證驗證時,裝置上存在的用戶端憑證會用來驗證連線使用者。When using the native Azure certificate authentication, a client certificate that is present on the device is used to authenticate the connecting user. 用戶端憑證是從根憑證產生,然後安裝在每部用戶端電腦上。Client certificates are generated from a trusted root certificate and then installed on each client computer. 您可以使用透過企業解決方案產生的根憑證,也可以產生自我簽署憑證。You can use a root certificate that was generated using an Enterprise solution, or you can generate a self-signed certificate.

用戶端憑證的驗證是由 VPN 閘道執行,並發生於 P2S VPN 連線建立期間。The validation of the client certificate is performed by the VPN gateway and happens during establishment of the P2S VPN connection. 根憑證需要驗證,且必須上傳至 Azure。The root certificate is required for the validation and must be uploaded to Azure.

使用原生 Azure Active Directory 驗證進行驗證Authenticate using native Azure Active Directory authentication

Azure AD authentication 可讓使用者使用其 Azure Active Directory 認證來連線到 Azure。Azure AD authentication allows users to connect to Azure using their Azure Active Directory credentials. 只有 OpenVPN 通訊協定和 Windows 10 支援原生 Azure AD 驗證,而且需要使用 Azure VPN ClientNative Azure AD authentication is only supported for OpenVPN protocol and Windows 10 and requires the use of the Azure VPN Client.

使用原生 Azure AD 驗證時,您可以利用 Azure AD 的條件式存取,以及 Multi-Factor Authentication (MFA) 適用于 VPN 的功能。With native Azure AD authentication, you can leverage Azure AD's conditional access as well as Multi-Factor Authentication(MFA) features for VPN.

概括而言,您必須執行下列步驟來設定 Azure AD authentication:At a high level, you need to perform the following steps to configure Azure AD authentication:

  1. 設定 Azure AD 租用戶Configure an Azure AD tenant

  2. 在閘道上啟用 Azure AD authenticationEnable Azure AD authentication on the gateway

  3. 下載並設定 Azure VPN ClientDownload and configure Azure VPN Client

使用 Azure Active Directory (AD) 網域伺服器進行驗證Authenticate using Active Directory (AD) Domain Server

AD 網域驗證可讓使用者使用其組織網域認證來連線至 Azure。AD Domain authentication allows users to connect to Azure using their organization domain credentials. 它需要可與 AD 伺服器整合的 RADIUS 伺服器。It requires a RADIUS server that integrates with the AD server. 組織也可利用其現有的 RADIUS 部署。Organizations can also leverage their existing RADIUS deployment.    RADIUS 伺服器可以部署在內部部署或 Azure VNet 中。The RADIUS server could be deployed on-premises or in your Azure VNet. 在驗證期間,Azure VPN 閘道可作為 RADIUS 伺服器與連線裝置之間的通道,雙向轉送驗證訊息。During authentication, the Azure VPN Gateway acts as a pass through and forwards authentication messages back and forth between the RADIUS server and the connecting device. 所以閘道觸達 RADIUS 伺服器的能力很重要。So Gateway reachability to the RADIUS server is important. 如果 RADIUS 伺服器位於內部部署環境,則需要從 Azure 到內部部署網站的 VPN S2S 連線才能觸達。  If the RADIUS server is present on-premises, then a VPN S2S connection from Azure to the on-premises site is required for reachability.      RADIUS 伺服器也可以與 AD 憑證服務整合。The RADIUS server can also integrate with AD certificate services. 這可讓您對 P2S 憑證驗證使用 RADIUS 伺服器和企業憑證部署,來替代 Azure 憑證驗證。This lets you use the RADIUS server and your enterprise certificate deployment for P2S certificate authentication as an alternative to the Azure certificate authentication. 優點是,您不需要將根憑證及撤銷的憑證上傳至 Azure。The advantage is that you don’t need to upload root certificates and revoked certificates to Azure.

RADIUS 伺服器也可以與其他外部身分識別系統整合。A RADIUS server can also integrate with other external identity systems. 這會開啟 P2S VPN 的許多驗證選項,包括多重因素選項。This opens up plenty of authentication options for P2S VPN, including multi-factor options.

此圖顯示具有內部部署網站的點對站 VPN。

設定用戶端有哪些需求?What are the client configuration requirements?

注意

對於 Windows 用戶端,您在用戶端裝置上必須具備系統管理員權限,才能將用戶端裝置到 Azure 的 VPN 連線初始化。For Windows clients, you must have administrator rights on the client device in order to initiate the VPN connection from the client device to Azure.

使用者會在 P2S 的 Windows 和 Mac 裝置上使用原生 VPN 用戶端。Users use the native VPN clients on Windows and Mac devices for P2S. Azure 會提供 VPN 用戶端組態 zip 檔案,其中包含這些原生用戶端連線到 Azure 所需的設定。Azure provides a VPN client configuration zip file that contains settings required by these native clients to connect to Azure.

  • 對於 Windows 裝置,VPN 用戶端組態包含使用者在其裝置上安裝的安裝程式套件。For Windows devices, the VPN client configuration consists of an installer package that users install on their devices.
  • 對於 Mac 裝置,其中包含使用者在其裝置上安裝的 mobileconfig 檔案。For Mac devices, it consists of the mobileconfig file that users install on their devices.

Zip 檔案也會提供 Azure 端的某些重要設定值,以便用於為這些裝置建立自己的設定檔。The zip file also provides the values of some of the important settings on the Azure side that you can use to create your own profile for these devices. 這些值包括 VPN 閘道位址,已設定的通道類型、路由,以及用於閘道驗證的根憑證。Some of the values include the VPN gateway address, configured tunnel types, routes, and the root certificate for gateway validation.

注意

從 2018 年 7 月 1 日起,對 TLS 1.0 和 1.1 的支援將會從 Azure VPN 閘道移除。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 閘道僅支援 TLS 1.2。VPN Gateway will support only TLS 1.2. 只有點對站連線會受到影響,站對站連線沒有影響。Only point-to-site connections are impacted; site-to-site connections will not be affected. 如果您針對 Windows 10 用戶端上的點對站 VPN 使用 TLS,則您不需要採取任何動作。If you’re using TLS for point-to-site VPNs on Windows 10 clients, you don’t need to take any action. 如果您針對 Windows 7 和 Windows 8 用戶端上的點對站連線使用 TLS,請參閱 VPN 閘道常見問題集以取得更新指示。If you are using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.

哪些閘道 Sku 支援 P2S VPN?Which gateway SKUs support P2S VPN?

VPN
閘道
世代
VPN
Gateway
Generation
SKUSKU S2S/VNet-to-VNet
通道
S2S/VNet-to-VNet
Tunnels
P2S
SSTP 連線
P2S
SSTP Connections
P2S
IKEv2/OpenVPN 連線
P2S
IKEv2/OpenVPN Connections
彙總
輸送量基準測試
Aggregate
Throughput Benchmark
BGPBGP Zone-redundantZone-redundant
第 1 代Generation1 基本Basic 最大Max. 1010 最大Max. 128128 不支援Not Supported 100 Mbps100 Mbps 不支援Not Supported No
第 1 代Generation1 VpnGw1VpnGw1 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支援Supported No
第 1 代Generation1 VpnGw2VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支援Supported No
第 1 代Generation1 VpnGw3VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支援Supported No
第 1 代Generation1 VpnGw1AZVpnGw1AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支援Supported Yes
第 1 代Generation1 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支援Supported Yes
第 1 代Generation1 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw2VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支援Supported No
第 2 代Generation2 VpnGw3VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支援Supported No
第 2 代Generation2 VpnGw4VpnGw4 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支援Supported No
第 2 代Generation2 VpnGw5VpnGw5 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支援Supported No
第 2 代Generation2 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw4AZVpnGw4AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw5AZVpnGw5AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支援Supported Yes

(*) 如果您需要超過 30 個 S2S VPN 通道,請使用虛擬 WAN(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • VpnGw SKU 的大小重新調整可在相同世代內進行,但「基本」SKU 的大小重新調整除外。The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. 「基本」SKU 是舊版 SKU,而且有功能限制。The Basic SKU is a legacy SKU and has feature limitations. 若要從「基本」移到另一個 VpnGw SKU,您必須刪除「基本」SKU VPN 閘道,並使用所需的世代和 SKU 大小組合建立新閘道。In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

  • 這些連線數限制是個別的。These connection limits are separate. 例如,您在 VpnGw1 SKU 上可以有 128 個 SSTP 連線和 250 個 IKEv2 連線。For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • 價格 頁面上可以找到價格資訊。Pricing information can be found on the Pricing page.

  • 可以在 SLA 頁面上找到 SLA (服務等級協定) 資訊。SLA (Service Level Agreement) information can be found on the SLA page.

  • 在單一通道上,可以達到最多 1 Gbps 的輸送量。On a single tunnel a maximum of 1 Gbps throughput can be achieved. 上表中的「彙總輸送量基準測試」是以透過單一閘道所彙總多個通道的量值為基礎。Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. VPN 閘道的彙總輸送量基準是 S2S + P2S 的組合。The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. 如果您有許多 P2S 連線,S2S 連線即可能因為輸送量限制而受到負面影響。If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. 由於網際網路流量條件和您的應用程式行為,彙總輸送量基準測試不是保證的輸送量。The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

為了協助我們的客戶了解 SKU 使用不同演算法的相對效能,我們使用了可公開取得的 iPerf 和 CTSTraffic 工具來測量效能。To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. 下表列出第 1 代、VpnGw SKU 的效能測試結果。The table below lists the results of performance tests for Generation 1, VpnGw SKUs. 如您所見,當我們針對 IPsec 加密和完整性使用 GCMAES256 演算法時,將會取得最佳效能。As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. 當您針對 IPsec 加密和完整性使用 AES256 和 SHA256 時,我們會取得平均效能。We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. 當您針對 IPsec 加密和完整性使用 DES3 和 SHA256 時,我們會取得最低效能。When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

世代Generation SKUSKU 使用的
演算法
Algorithms
used
觀察到的
輸送量
Throughput
observed
觀察到的
每秒封包數
Packets per second
observed
第 1 代Generation1 VpnGw1VpnGw1 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2VpnGw2 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3VpnGw3 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000
第 1 代Generation1 VpnGw1AZVpnGw1AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2AZVpnGw2AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3AZVpnGw3AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000

注意

基本 SKU 不支援 IKEv2 或 RADIUS 驗證。The Basic SKU does not support IKEv2 or RADIUS authentication.

哪些 IKE/IPsec 原則是在 P2S 的 VPN 閘道上設定?What IKE/IPsec policies are configured on VPN gateways for P2S?

IKEv2IKEv2

密碼Cipher 完整性Integrity PrfPRF DH 群組DH Group
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA384SHA384 GROUP_24GROUP_24
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA384SHA384 GROUP_14GROUP_14
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA384SHA384 GROUP_ECP384GROUP_ECP384
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA384SHA384 GROUP_ECP256GROUP_ECP256
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA256SHA256 GROUP_24GROUP_24
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA256SHA256 GROUP_14GROUP_14
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA256SHA256 GROUP_ECP384GROUP_ECP384
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 SHA256SHA256 GROUP_ECP256GROUP_ECP256
AES256AES256 SHA384SHA384 SHA384SHA384 GROUP_24GROUP_24
AES256AES256 SHA384SHA384 SHA384SHA384 GROUP_14GROUP_14
AES256AES256 SHA384SHA384 SHA384SHA384 GROUP_ECP384GROUP_ECP384
AES256AES256 SHA384SHA384 SHA384SHA384 GROUP_ECP256GROUP_ECP256
AES256AES256 SHA256SHA256 SHA256SHA256 GROUP_24GROUP_24
AES256AES256 SHA256SHA256 SHA256SHA256 GROUP_14GROUP_14
AES256AES256 SHA256SHA256 SHA256SHA256 GROUP_ECP384GROUP_ECP384
AES256AES256 SHA256SHA256 SHA256SHA256 GROUP_ECP256GROUP_ECP256
AES256AES256 SHA256SHA256 SHA256SHA256 GROUP_2GROUP_2

IPsecIPsec

密碼Cipher 完整性Integrity PFS 群組PFS Group
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 GROUP_NONEGROUP_NONE
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 GROUP_24GROUP_24
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 GROUP_14GROUP_14
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 GROUP_ECP384GROUP_ECP384
GCM_AES256GCM_AES256 GCM_AES256GCM_AES256 GROUP_ECP256GROUP_ECP256
AES256AES256 SHA256SHA256 GROUP_NONEGROUP_NONE
AES256AES256 SHA256SHA256 GROUP_24GROUP_24
AES256AES256 SHA256SHA256 GROUP_14GROUP_14
AES256AES256 SHA256SHA256 GROUP_ECP384GROUP_ECP384
AES256AES256 SHA256SHA256 GROUP_ECP256GROUP_ECP256
AES256AES256 SHA1SHA1 GROUP_NONEGROUP_NONE

P2S VPN 閘道上設定了哪些 TLS 原則?What TLS policies are configured on VPN gateways for P2S?

TLSTLS

原則Policies
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256

如何設定 P2S 連線?How do I configure a P2S connection?

P2S 設定需要相當多的特定步驟。A P2S configuration requires quite a few specific steps. 下列文章包含的步驟可引導您進行 P2S 設定,然後連結以設定 VPN 用戶端裝置:The following articles contain the steps to walk you through P2S configuration, and links to configure the VPN client devices:

移除 P2S 連接的設定To remove the configuration of a P2S connection

如需相關步驟,請參閱下方的 常見問題For steps, see the FAQ, below.

原生 Azure 憑證驗證的常見問題集FAQ for native Azure certificate authentication

在我的點對站台組態中可以有多少個 VPN 用戶端端點?How many VPN client endpoints can I have in my Point-to-Site configuration?

這取決於閘道 SKU。It depends on the gateway SKU. 如需支援連線數量的詳細資訊,請參閱閘道 SKUFor more information on the number of connections supported, see Gateway SKUs.

可以使用哪些用戶端作業系統來搭配點對站?What client operating systems can I use with Point-to-Site?

以下為支援的用戶端作業系統:The following client operating systems are supported:

  • Windows 7 (32 位元和 64 位元)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2 (僅限 64 位元)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1 (32 位元和 64 位元)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012 (僅限 64 位元)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2 (僅限 64 位元)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016 (僅限 64 位元)Windows Server 2016 (64-bit only)
  • Windows Server 2019 (僅限 64 位元)Windows Server 2019 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 10.11 版或更新版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

注意

從 2018 年 7 月 1 日起,對 TLS 1.0 和 1.1 的支援將會從 Azure VPN 閘道移除。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 閘道僅支援 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要保有支援,請參閱用以啟用 TLS 1.2 支援的更新To maintain support, see the updates to enable support for TLS1.2.

此外,下列舊版演算法也會在 2018 年 7 月 1 日針對 TLS 取代:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES (資料加密演算法)DES (Data Encryption Algorithm)
  • 3DES (三重資料加密演算法)3DES (Triple Data Encryption Algorithm)
  • MD5 (訊息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中啟用 TLS 1.2 支援?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 以滑鼠右鍵按一下 [命令提示字元]****,然後選取 [以系統管理員身分執行]****,以使用較高的權限開啟命令提示字元。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 在命令提示字元中執行下列命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安裝下列更新:Install the following updates:

  4. 重新啟動電腦。Reboot the computer.

  5. 連線至 VPN。Connect to the VPN.

注意

如果您執行較舊版本的 Windows 10 (10240),就必須設定上述登錄機碼。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

是否可以使用點對站台功能周遊 Proxy 和防火牆?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支援三種點對站 VPN 選項:Azure supports three types of Point-to-site VPN options:

  • 安全通訊端通道通訊協定 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 專屬的 SSL 型解決方案,因為大部分的防火牆都會開啟 443 SSL 所使用的輸出 TCP 連接埠,所以 SSTP 可以穿透防火牆。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN。OpenVPN. OpenVPN 是 SSL 型解決方案,因為大部分的防火牆都會開啟 443 SSL 所使用的輸出 TCP 連接埠,所以 SSTP 可以穿透防火牆。OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是標準型 IPsec VPN 解決方案,會使用輸出 UDP 連接埠 500 和 4500 以及IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 第 50 號的 IP 通訊協定。50. 防火牆不一定會開啟這些連接埠,因此 IKEv2 VPN 有可能無法周遊 Proxy 和防火牆。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果我重新啟動針對點對站台設定的用戶端電腦,VPN 將自動重新連線嗎?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

用戶端電腦預設為不會自動重新建立 VPN 連線。By default, the client computer will not reestablish the VPN connection automatically.

在 VPN 用戶端上點對站台支援自動重新連接和 DDNS 嗎?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

點對站台 VPN 目前不支援自動重新連接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

對於相同的虛擬網路,網站間和點對站台組態是否可以同時存在?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

是。Yes. 如果是 Resource Manager 部署模型,您的閘道必須是路由式 VPN 類型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 如果是傳統部署模型,則需要動態閘道。For the classic deployment model, you need a dynamic gateway. 靜態路由 VPN 閘道或原則式 VPN 閘道不支援點對站。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

是否可以將點對站台用戶端設定為同時連接到多個虛擬網路閘道?Can I configure a Point-to-Site client to connect to multiple virtual network gateways at the same time?

視所使用的 VPN 用戶端軟體而定,您可以連線到多個虛擬網路閘道,前提是連線的虛擬網路在兩者之間沒有衝突的位址空間,或與用戶端之間的網路連線。Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to do not have conflicting address spaces between them or the network from with the client is connecting from. 雖然 Azure VPN 用戶端支援許多 VPN 連線,但在任何指定的時間都只能允許一個連線。While the Azure VPN Client supports many VPN connections, only one connection can be Connected at any given time.

是否可以將點對站台用戶端設定為同時連接到多個虛擬網路?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

可以,與其他 VNet 對等互連的 VNet 中所部署之虛擬網路閘道的點對站連線,可能可以存取其他對等互連 VNet。Yes, Point-to-Site connections to a Virtual Network Gateway deployed in a VNet that is peered with other VNets may have access to other peered VNets. 假設對等互連 VNet 使用 UseRemoteGateway/AllowGatewayTransit 功能,則點對站用戶端將能夠連線到這些對等互連 VNet。Provided the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features, the Point-to-Site client will be able to connect to those peered VNets. 如需詳細資訊,請參閱此文章For more information please reference this article.

透過網站間或點對站台連線可以獲得多少輸送量?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很難維護 VPN 通道的確切輸送量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 為加密嚴謹的 VPN 通訊協定。IPsec and SSTP are crypto-heavy VPN protocols. 輸送量也會受限於內部部署與網際網路之間的延遲和頻寬。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 對於只有 IKEv2 點對站 VPN 連線的 VPN 閘道,您可以預期的總輸送量取決於閘道 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 如需輸送量的詳細資訊,請參閱閘道 SKUFor more information on throughput, see Gateway SKUs.

是否可以對支援 SSTP 和 (或) IKEv2 的點對站使用任何軟體 VPN 用戶端?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

否。No. 在 Windows 上,您只能對 SSTP 使用原生 VPN 用戶端,而在 Mac 上,則只能對 IKEv2 使用原生 VPN 用戶端。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 不過,您可以在所有平台上使用 OpenVPN 用戶端,透過 OpenVPN 通訊協定進行連線。However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. 請參閱支援的用戶端作業系統清單。Refer to the list of supported client operating systems.

Azure 支援採用 Windows 的 IKEv2 VPN 嗎?Does Azure support IKEv2 VPN with Windows?

Windows 10 和 Server 2016 都支援 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 不過,若要使用 IKEv2,您必須在本機安裝更新並設定登錄機碼值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 之前的作業系統版本不受支援,且只能使用 SSTP 或 OpenVPN® 通訊協定OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

若要針對 IKEv2 準備 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安裝更新。Install the update.

    作業系統版本OS version DateDate 號碼/連結Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 設定登錄機碼值。Set the registry key value. 在登入中建立 “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD 機碼或將其設定為 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

當我設定 SSTP 和 IKEv2 以便進行 P2S VPN 連線時,會發生什麼狀況?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

當您在混合環境 (包含 Windows 和 Mac 裝置) 中設定 SSTP 和 IKEv2 時,Windows VPN 用戶端一律會先嘗試 IKEv2 通道,但如果 IKEv2 連線失敗,則會回復為 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 只可透過 IKEv2 連線。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 還支援哪些其他平台使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支援適用於 P2S VPN 的 Windows、Mac 和 Linux。Azure supports Windows, Mac and Linux for P2S VPN.

我已經部署 Azure VPN 閘道。I already have an Azure VPN Gateway deployed. 可以在其上啟用 RADIUS 及/或 IKEv2 VPN 嗎?Can I enable RADIUS and/or IKEv2 VPN on it?

可以,您可以使用 Powershell 或 Azure 入口網站,在已經部署的閘道上啟用這些新功能,但前提是您使用的閘道 SKU 可支援 RADIUS 及/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 閘道基本 SKU 不支援 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

如何移除 P2S 連線的組態?How do I remove the configuration of a P2S connection?

使用 Azure CLI 和 PowerShell,可以使用下列命令來移除 P2S 組態:A P2S configuration can be removed using Azure CLI and PowerShell using the following commands:

Azure PowerShellAzure PowerShell

$gw=Get-AzVirtualNetworkGateway -name <gateway-name>`  
$gw.VPNClientConfiguration = $null`  
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`

Azure CLIAzure CLI

az network vnet-gateway update --name <gateway-name> --resource-group <resource-group name> --remove "vpnClientConfiguration"

如果我在使用憑證驗證連線時發生憑證不符的情況,該怎麼辦?What should I do if I'm getting a certificate mismatch when connecting using certificate authentication?

取消核取 [驗證憑證以確認伺服器的身分識別] 或在手動建立設定檔時新增伺服器 FQDN 和憑證Uncheck "Verify the server's identity by validating the certificate" or add the server FQDN along with the certificate when creating a profile manually. 若要這麼做,您可以從命令提示字元執行 rasphone,然後從下拉式清單中挑選設定檔。You can do this by running rasphone from a command prompt and picking the profile from the drop-down list.

一般不建議略過伺服器身分識別驗證,但進行 Azure 憑證驗證時,會使用相同的憑證來進行 VPN 通道通訊協定 (IKEv2/SSTP) 和 EAP 通訊協定中的伺服器驗證。Bypassing server identity validation is not recommended in general, but with Azure certificate authentication, the same certificate is being used for server validation in the VPN tunneling protocol (IKEv2/SSTP) and the EAP protocol. 因為伺服器憑證和 FQDN 已經由 VPN 通道通訊協定驗證,所以在 EAP 中再次驗證相同項目是多餘的。Since the server certificate and FQDN is already validated by the VPN tunneling protocol, it is redundant to validate the same again in EAP.

點對站point-to-site

是否可以使用自己的內部 PKI 根 CA 來產生點對站連線的憑證?Can I use my own internal PKI root CA to generate certificates for Point-to-Site connectivity?

是。Yes. 先前只能使用自我簽署的根憑證。Previously, only self-signed root certificates could be used. 您仍然可以上傳 20 個根憑證。You can still upload 20 root certificates.

是否可以使用來自 Azure Key Vault 的憑證?Can I use certificates from Azure Key Vault?

否。No.

我可以使用哪些工具來建立憑證?What tools can I use to create certificates?

您可以使用 Enterprise PKI 解決方案 (您的內部 PKI)、Azure PowerShell、MakeCert 和 OpenSSL。You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.

是否有憑證設定及參數的指示?Are there instructions for certificate settings and parameters?

  • 內部 PKI/Enterprise PKI 解決方案: 請參閱步驟來產生憑證Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.

  • Azure PowerShell: 請參閱 Azure PowerShell 文章以了解步驟。Azure PowerShell: See the Azure PowerShell article for steps.

  • MakeCert: 請參閱 MakeCert 文章以了解步驟。MakeCert: See the MakeCert article for steps.

  • OpenSSL:OpenSSL:

    • 匯出憑證時,請務必將根憑證轉換為 Base64。When exporting certificates, be sure to convert the root certificate to Base64.

    • 針對用戶端憑證:For the client certificate:

      • 建立私密金鑰時,請將長度指定為 4096。When creating the private key, specify the length as 4096.
      • 建立憑證時,針對 -extensions** 參數,請指定 usr_cert**。When creating the certificate, for the -extensions parameter, specify usr_cert.

RADIUS 驗證的常見問題集FAQ for RADIUS authentication

在我的點對站台組態中可以有多少個 VPN 用戶端端點?How many VPN client endpoints can I have in my Point-to-Site configuration?

這取決於閘道 SKU。It depends on the gateway SKU. 如需支援連線數量的詳細資訊,請參閱閘道 SKUFor more information on the number of connections supported, see Gateway SKUs.

可以使用哪些用戶端作業系統來搭配點對站?What client operating systems can I use with Point-to-Site?

以下為支援的用戶端作業系統:The following client operating systems are supported:

  • Windows 7 (32 位元和 64 位元)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2 (僅限 64 位元)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1 (32 位元和 64 位元)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012 (僅限 64 位元)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2 (僅限 64 位元)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016 (僅限 64 位元)Windows Server 2016 (64-bit only)
  • Windows Server 2019 (僅限 64 位元)Windows Server 2019 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 10.11 版或更新版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

注意

從 2018 年 7 月 1 日起,對 TLS 1.0 和 1.1 的支援將會從 Azure VPN 閘道移除。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 閘道僅支援 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要保有支援,請參閱用以啟用 TLS 1.2 支援的更新To maintain support, see the updates to enable support for TLS1.2.

此外,下列舊版演算法也會在 2018 年 7 月 1 日針對 TLS 取代:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES (資料加密演算法)DES (Data Encryption Algorithm)
  • 3DES (三重資料加密演算法)3DES (Triple Data Encryption Algorithm)
  • MD5 (訊息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中啟用 TLS 1.2 支援?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 以滑鼠右鍵按一下 [命令提示字元]****,然後選取 [以系統管理員身分執行]****,以使用較高的權限開啟命令提示字元。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 在命令提示字元中執行下列命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安裝下列更新:Install the following updates:

  4. 重新啟動電腦。Reboot the computer.

  5. 連線至 VPN。Connect to the VPN.

注意

如果您執行較舊版本的 Windows 10 (10240),就必須設定上述登錄機碼。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

是否可以使用點對站台功能周遊 Proxy 和防火牆?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支援三種點對站 VPN 選項:Azure supports three types of Point-to-site VPN options:

  • 安全通訊端通道通訊協定 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 專屬的 SSL 型解決方案,因為大部分的防火牆都會開啟 443 SSL 所使用的輸出 TCP 連接埠,所以 SSTP 可以穿透防火牆。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN。OpenVPN. OpenVPN 是 SSL 型解決方案,因為大部分的防火牆都會開啟 443 SSL 所使用的輸出 TCP 連接埠,所以 SSTP 可以穿透防火牆。OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是標準型 IPsec VPN 解決方案,會使用輸出 UDP 連接埠 500 和 4500 以及IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 第 50 號的 IP 通訊協定。50. 防火牆不一定會開啟這些連接埠,因此 IKEv2 VPN 有可能無法周遊 Proxy 和防火牆。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果我重新啟動針對點對站台設定的用戶端電腦,VPN 將自動重新連線嗎?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

用戶端電腦預設為不會自動重新建立 VPN 連線。By default, the client computer will not reestablish the VPN connection automatically.

在 VPN 用戶端上點對站台支援自動重新連接和 DDNS 嗎?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

點對站台 VPN 目前不支援自動重新連接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

對於相同的虛擬網路,網站間和點對站台組態是否可以同時存在?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

是。Yes. 如果是 Resource Manager 部署模型,您的閘道必須是路由式 VPN 類型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 如果是傳統部署模型,則需要動態閘道。For the classic deployment model, you need a dynamic gateway. 靜態路由 VPN 閘道或原則式 VPN 閘道不支援點對站。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

是否可以將點對站台用戶端設定為同時連接到多個虛擬網路閘道?Can I configure a Point-to-Site client to connect to multiple virtual network gateways at the same time?

視所使用的 VPN 用戶端軟體而定,您可以連線到多個虛擬網路閘道,前提是連線的虛擬網路在兩者之間沒有衝突的位址空間,或與用戶端之間的網路連線。Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to do not have conflicting address spaces between them or the network from with the client is connecting from. 雖然 Azure VPN 用戶端支援許多 VPN 連線,但在任何指定的時間都只能允許一個連線。While the Azure VPN Client supports many VPN connections, only one connection can be Connected at any given time.

是否可以將點對站台用戶端設定為同時連接到多個虛擬網路?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

可以,與其他 VNet 對等互連的 VNet 中所部署之虛擬網路閘道的點對站連線,可能可以存取其他對等互連 VNet。Yes, Point-to-Site connections to a Virtual Network Gateway deployed in a VNet that is peered with other VNets may have access to other peered VNets. 假設對等互連 VNet 使用 UseRemoteGateway/AllowGatewayTransit 功能,則點對站用戶端將能夠連線到這些對等互連 VNet。Provided the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features, the Point-to-Site client will be able to connect to those peered VNets. 如需詳細資訊,請參閱此文章For more information please reference this article.

透過網站間或點對站台連線可以獲得多少輸送量?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很難維護 VPN 通道的確切輸送量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 為加密嚴謹的 VPN 通訊協定。IPsec and SSTP are crypto-heavy VPN protocols. 輸送量也會受限於內部部署與網際網路之間的延遲和頻寬。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 對於只有 IKEv2 點對站 VPN 連線的 VPN 閘道,您可以預期的總輸送量取決於閘道 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 如需輸送量的詳細資訊,請參閱閘道 SKUFor more information on throughput, see Gateway SKUs.

是否可以對支援 SSTP 和 (或) IKEv2 的點對站使用任何軟體 VPN 用戶端?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

否。No. 在 Windows 上,您只能對 SSTP 使用原生 VPN 用戶端,而在 Mac 上,則只能對 IKEv2 使用原生 VPN 用戶端。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 不過,您可以在所有平台上使用 OpenVPN 用戶端,透過 OpenVPN 通訊協定進行連線。However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. 請參閱支援的用戶端作業系統清單。Refer to the list of supported client operating systems.

Azure 支援採用 Windows 的 IKEv2 VPN 嗎?Does Azure support IKEv2 VPN with Windows?

Windows 10 和 Server 2016 都支援 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 不過,若要使用 IKEv2,您必須在本機安裝更新並設定登錄機碼值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 之前的作業系統版本不受支援,且只能使用 SSTP 或 OpenVPN® 通訊協定OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

若要針對 IKEv2 準備 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安裝更新。Install the update.

    作業系統版本OS version DateDate 號碼/連結Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 設定登錄機碼值。Set the registry key value. 在登入中建立 “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD 機碼或將其設定為 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

當我設定 SSTP 和 IKEv2 以便進行 P2S VPN 連線時,會發生什麼狀況?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

當您在混合環境 (包含 Windows 和 Mac 裝置) 中設定 SSTP 和 IKEv2 時,Windows VPN 用戶端一律會先嘗試 IKEv2 通道,但如果 IKEv2 連線失敗,則會回復為 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 只可透過 IKEv2 連線。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 還支援哪些其他平台使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支援適用於 P2S VPN 的 Windows、Mac 和 Linux。Azure supports Windows, Mac and Linux for P2S VPN.

我已經部署 Azure VPN 閘道。I already have an Azure VPN Gateway deployed. 可以在其上啟用 RADIUS 及/或 IKEv2 VPN 嗎?Can I enable RADIUS and/or IKEv2 VPN on it?

可以,您可以使用 Powershell 或 Azure 入口網站,在已經部署的閘道上啟用這些新功能,但前提是您使用的閘道 SKU 可支援 RADIUS 及/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 閘道基本 SKU 不支援 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

如何移除 P2S 連線的組態?How do I remove the configuration of a P2S connection?

使用 Azure CLI 和 PowerShell,可以使用下列命令來移除 P2S 組態:A P2S configuration can be removed using Azure CLI and PowerShell using the following commands:

Azure PowerShellAzure PowerShell

$gw=Get-AzVirtualNetworkGateway -name <gateway-name>`  
$gw.VPNClientConfiguration = $null`  
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`

Azure CLIAzure CLI

az network vnet-gateway update --name <gateway-name> --resource-group <resource-group name> --remove "vpnClientConfiguration"

是否所有的 Azure VPN 閘道 SKU 都可支援 RADIUS 驗證?Is RADIUS authentication supported on all Azure VPN Gateway SKUs?

VpnGw1、VpnGw2 和 VpnGw3 SKU 可支援 RADIUS 驗證。RADIUS authentication is supported for VpnGw1, VpnGw2, and VpnGw3 SKUs. 如果您使用舊版 SKU,則標準和高效能 SKU 可支援 RADIUS 驗證。If you are using legacy SKUs, RADIUS authentication is supported on Standard and High Performance SKUs. 基本閘道 SKU 則不支援 RADIUS 驗證。It is not supported on the Basic Gateway SKU. 

傳統部署模型是否支援 RADIUS 驗證?Is RADIUS authentication supported for the classic deployment model?

否。No. 傳統部署模型不支援 RADIUS 驗證。RADIUS authentication is not supported for the classic deployment model.

是否支援第 3 方的 RADIUS 伺服器?Are 3rd-party RADIUS servers supported?

是,可支援第 3 方的 RADIUS 伺服器。Yes, 3rd-party RADIUS servers are supported.

若要確保 Azure 閘道能夠連線到內部部署 RADIUS 伺服器,需符合哪些連線需求?What are the connectivity requirements to ensure that the Azure gateway is able to reach an on-premises RADIUS server?

您必須有內部部署站台的 VPN 站對站連線,並已正確設定路由。A VPN Site-to-Site connection to the on-premises site, with the proper routes configured, is required.  

是否可以透過 ExpressRoute 連線來路由傳送從 Azure VPN 閘道流往內部部署 RADIUS 伺服器的流量?Can traffic to an on-premises RADIUS server (from the Azure VPN gateway) be routed over an ExpressRoute connection?

否。No. 該流量只能透過站對站連線來路由傳送。It can only be routed over a Site-to-Site connection.

RADIUS 驗證所支援的 SSTP 連線數目是否有變更?Is there a change in the number of SSTP connections supported with RADIUS authentication? 所支援的 SSTP 和 IKEv2 連線數目上限為何?What is the maximum number of SSTP and IKEv2 connections supported?

RADIUS 驗證在閘道上所支援的 SSTP 連線數目上限並未變更。There is no change in the maximum number of SSTP connections supported on a gateway with RADIUS authentication. SSTP 的限制數量仍為 128,但取決於 IKEv2 的閘道 SKU。It remains 128 for SSTP, but depends on the gateway SKU for IKEv2.如需支援連線數量的詳細資訊,請參閱閘道 SKU For more information on the number of connections supported, see Gateway SKUs.

使用 RADIUS 伺服器來執行憑證驗證和使用 Azure 原生憑證驗證 (藉由將受信任的憑證上傳至 Azure) 來執行憑證驗證有何差異。What is the difference between doing certificate authentication using a RADIUS server vs. using Azure native certificate authentication (by uploading a trusted certificate to Azure).

在 RADIUS 驗證憑證中,驗證要求會轉送至 RADIUS 伺服器以處理實際的憑證驗證。In RADIUS certificate authentication, the authentication request is forwarded to a RADIUS server that handles the actual certificate validation. 如果您想要與您已透過 RADIUS 而擁有的憑證驗證基礎結構整合,這個選項非常有用。This option is useful if you want to integrate with a certificate authentication infrastructure that you already have through RADIUS.

在使用 Azure 進行憑證驗證時,Azure VPN 閘道會執行憑證驗證。When using Azure for certificate authentication, the Azure VPN gateway performs the validation of the certificate. 您需要將憑證公開金鑰上傳到閘道。You need to upload your certificate public key to the gateway. 您也可以指定不該允許連線的已撤銷憑證清單。You can also specify list of revoked certificates that shouldn’t be allowed to connect.

RADIUS 驗證可以同時與 IKEv2 和 SSTP VPN 搭配運作嗎?Does RADIUS authentication work with both IKEv2, and SSTP VPN?

是,IKEv2 和 SSTP VPN 都支援 RADIUS 驗證。Yes, RADIUS authentication is supported for both IKEv2, and SSTP VPN. 

RADIUS 驗證是否可搭配 OpenVPN 用戶端運作?Does RADIUS authentication work with the OpenVPN client?

只有透過 PowerShell,OpenVPN 通訊協定才支援 RADIUS 驗證。RADIUS authentication is supported for the OpenVPN protocol only through PowerShell.

後續步驟Next Steps

"OpenVPN" 是 OpenVPN Inc. 的商標。"OpenVPN" is a trademark of OpenVPN Inc.