請使用原生 Azure 憑證驗證設定 VNet 的點對站連線:Azure 入口網站Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: Azure portal

本文可協助您將執行 Windows、Linux 或 Mac OS X 的個別用戶端安全地連線至 Azure VNet。This article helps you securely connect individual clients running Windows, Linux, or Mac OS X to an Azure VNet. 當您想要從遠端位置 (例如當您從住家或會議進行遠距工作) 連線到您的 VNet 時,點對站 VPN 連線很實用。Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location, such when you are telecommuting from home or a conference. 如果您只有少數用戶端必須連線至 VNet,您也可以使用 P2S,而不使用站對站 VPN。You can also use P2S instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. 點對站連線不需要 VPN 裝置或公眾對應 IP 位址。Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S 會建立透過 SSTP (安全通訊端通道通訊協定) 或 IKEv2 的 VPN 連線。P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2. 如需點對站 VPN 的詳細資訊,請參閱關於點對站 VPNFor more information about Point-to-Site VPN, see About Point-to-Site VPN.

將電腦連接至 Azure VNet - 點對站連線圖表

架構Architecture

點對站原生 Azure 憑證驗證連線須使用下列項目 (您可以在此練習中設定):Point-to-Site native Azure certificate authentication connections use the following items, which you configure in this exercise:

  • RouteBased VPN 閘道。A RouteBased VPN gateway.
  • 已上傳至 Azure 之根憑證的公開金鑰 (.cer 檔案)。The public key (.cer file) for a root certificate, which is uploaded to Azure. 一旦上傳憑證,憑證就會被視為受信任的憑證並且用於驗證。Once the certificate is uploaded, it is considered a trusted certificate and is used for authentication.
  • 從根憑證產生的用戶端憑證。A client certificate that is generated from the root certificate. 此用戶端憑證須安裝在每部將連線至 VNet 的用戶端電腦上。The client certificate installed on each client computer that will connect to the VNet. 此憑證使用於用戶端憑證。This certificate is used for client authentication.
  • VPN 用戶端組態。A VPN client configuration. VPN 用戶端組態檔包含要讓用戶端連線到 VNet 所需的資訊。The VPN client configuration files contain the necessary information for the client to connect to the VNet. 此檔案會設定作業系統原生的現有 VPN 用戶端。The files configure the existing VPN client that is native to the operating system. 您必須使用組態檔中的設定來設定每個進行連線的用戶端。Each client that connects must be configured using the settings in the configuration files.

範例值Example values

您可以使用下列值來建立測試環境,或參考這些值來進一步了解本文中的範例:You can use the following values to create a test environment, or refer to these values to better understand the examples in this article:

  • VNet 名稱: VNet1VNet Name: VNet1
  • 位址空間︰ 192.168.0.0/16Address space: 192.168.0.0/16
    在此範例中,我們只使用一個位址空間。For this example, we use only one address space. 您可以針對 VNet 使用一個以上的位址空間。You can have more than one address space for your VNet.
  • 子網路名稱: 前端Subnet name: FrontEnd
  • 子網路位址範圍︰ 192.168.1.0/24Subnet address range: 192.168.1.0/24
  • 訂用帳戶︰ 如果您有一個以上的訂用帳戶,請確認您使用正確的訂用帳戶。Subscription: If you have more than one subscription, verify that you are using the correct one.
  • 資源群組: TestRGResource Group: TestRG
  • 位置: East USLocation: East US
  • GatewaySubnet: 192.168.200.0/24GatewaySubnet: 192.168.200.0/24
  • DNS 伺服器: (選擇性) 您想要用於名稱解析之 DNS 伺服器的 IP 位址。DNS Server: (optional) IP address of the DNS server that you want to use for name resolution.
  • 虛擬網路閘道名稱: VNet1GWVirtual network gateway name: VNet1GW
  • 閘道類型: VPNGateway type: VPN
  • VPN 類型: 依路由VPN type: Route-based
  • 公用 IP 位址名稱: VNet1GWpipPublic IP address name: VNet1GWpip
  • 連線類型: 點對站Connection type: Point-to-site
  • 用戶端位址集區: 172.16.201.0/24Client address pool: 172.16.201.0/24
    使用這個點對站連線來連線到 VNet 的 VPN 用戶端,會收到來自用戶端位址集區的 IP 位址。VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the client address pool.

1.建立虛擬網路1. Create a virtual network

在開始之前,請確認您有 Azure 訂用帳戶。Before beginning, verify that you have an Azure subscription. 如果您還沒有 Azure 訂用帳戶,則可以啟用 MSDN 訂戶權益或註冊免費帳戶If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

若要使用 Azure 入口網站在 Resource Manager 部署模型中建立 VNet,請遵循下列步驟。To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below. 已提供螢幕擷取畫面做為範例。The screenshots are provided as examples. 請務必將值取代為您自己的值。Be sure to replace the values with your own. 如需使用虛擬網路的詳細資訊,請參閱 虛擬網路概觀For more information about working with virtual networks, see the Virtual Network Overview.

注意

如果您需要讓此 VNet 連線到內部部署位置 (除了建立 P2S 組態),必須與內部部署網路系統管理員協調,以切割出此虛擬網路專用的 IP 位址範圍。If you want this VNet to connect to an on-premises location (in addition to creating a P2S configuration), you need to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 連線的兩端存在重複的位址範圍,流量就不會如預期的方式進行路由。If a duplicate address range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. 此外,如果您想要將此 VNet 連線到另一個 VNet,則位址空間不能與其他 VNet 重疊。Additionally, if you want to connect this VNet to another VNet, the address space cannot overlap with other VNet. 因此,請謹慎規劃您的網路組態。Take care to plan your network configuration accordingly.

  1. 透過瀏覽器瀏覽至 Azure 入口網站 ,並視需要使用您的 Azure 帳戶登入。From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.

  2. 按一下頁面底部的 [新增] + 來單一登入應用程式。Click +. 在 [搜尋 Marketplace] 欄位中,輸入「虛擬網路」。In the Search the marketplace field, type "Virtual Network". 在傳回的清單中找到 [虛擬網路] ,並按一下以開啟 [虛擬網路] 頁面。Locate Virtual Network from the returned list and click to open the Virtual Network page.

    找出虛擬網路資源頁面Locate Virtual Network resource page

  3. 從接近 [虛擬網路]頁面底部的 [選取部署模型] 清單中,選取 [Resource Manager] ,然後按一下 [建立] 。Near the bottom of the Virtual Network page, from the Select a deployment model list, select Resource Manager, and then click Create.

    選取資源管理員Select Resource Manager

  4. 在 [建立虛擬網路] 頁面上進行 VNet 設定。On the Create virtual network page, configure the VNet settings. 當您填寫欄位時,若欄位中輸入的字元有效,紅色驚嘆號就會變成綠色核取記號。When you fill in the fields, the red exclamation mark becomes a green check mark when the characters entered in the field are valid. 有些值可能會自動填入。There may be values that are auto-filled. 若是如此,請將這些值取代為您自己的值。If so, replace the values with your own. [建立虛擬網路] 頁面看起來會類似下列範例:The Create virtual network page looks similar to the following example:

    欄位驗證Field validation

  5. 名稱:輸入虛擬網路的名稱。Name: Enter the name for your Virtual Network.

  6. 位址空間:輸入位址空間。Address space: Enter the address space. 如果您有多個要新增的位址空間,請新增您的第一個位址空間。If you have multiple address spaces to add, add your first address space. 稍後,您可以在建立 VNet 之後新增其他位址空間。You can add additional address spaces later, after creating the VNet.

  7. 訂用帳戶 :請確認列出的訂用帳戶是否正確。Subscription: Verify that the Subscription listed is the correct one. 您可以使用下拉式清單變更訂用帳戶。You can change subscriptions by using the drop-down.

  8. 资源组:選取現有資源群組,或輸入新資源群組的名稱以建立新的資源群組。Resource group: Select an existing resource group, or create a new one by typing a name for your new resource group. 如果您要建立新的群組,請根據您計劃的組態值來命名資源群組。If you are creating a new group, name the resource group according to your planned configuration values. 如需資源群組的詳細資訊,請瀏覽 Azure Resource Manager 概觀For more information about resource groups, visit Azure Resource Manager Overview.

  9. 位置:選取您的 VNet 位置。Location: Select the location for your VNet. 此位置會決定您部署到此 VNet 之資源所在的位置。The location determines where the resources that you deploy to this VNet will reside.

  10. 子網路:新增子網路名稱和子網路位址範圍。Subnet: Add the subnet name and subnet address range. 稍後,您可以在建立 VNet 之後新增其他子網路。You can add additional subnets later, after creating the VNet.

  11. 如果想要能夠在儀表板上輕鬆地尋找您的 VNet,請選取 [釘選到儀表板] ,然後按一下 [建立] 。Select Pin to dashboard if you want to be able to find your VNet easily on the dashboard, and then click Create.

    釘選到儀表板Pin to dashboard

  12. 按一下 [建立] 之後,您會看到儀表板上有一個圖格會反映 VNet 的進度。After clicking Create, you will see a tile on your dashboard that will reflect the progress of your VNet. 建立 VNet 時,此圖格會變更。The tile changes as the VNet is being created.

    建立虛擬網路圖格Creating virtual network tile

2.新增閘道子網路2. Add a gateway subnet

將虛擬網路連接到閘道之前,您必須先建立虛擬網路要連接的閘道子網路。Before connecting your virtual network to a gateway, you first need to create the gateway subnet for the virtual network to which you want to connect. 閘道服務會使用閘道子網路中指定的 IP 位址。The gateway services use the IP addresses specified in the gateway subnet. 如果可能,請使用 /28 或 /27 的 CIDR 區塊來建立閘道子網路,以提供足夠的 IP 位址來因應未來額外的組態需求。If possible, create a gateway subnet using a CIDR block of /28 or /27 to provide enough IP addresses to accommodate additional future configuration requirements.

  1. 入口網站中,瀏覽至要建立虛擬網路閘道的 Resource Manager 虛擬網路。In the portal, navigate to the Resource Manager virtual network for which you want to create a virtual network gateway.

  2. 在 VNet 頁面的 [設定] 中,按一下 [子網路] 以展開 [子網路] 頁面。In the Settings section of your VNet page, click Subnets to expand the Subnets page.

  3. 在 [子網路] 頁面中,按一下 [+閘道子網路] 以開啟 [新增子網路] 頁面。On the Subnets page, click +Gateway subnet to open the Add subnet page.

    新增閘道子網路Add the gateway subnet

  4. 子網路的 [名稱] 會自動填入 'GatewaySubnet' 這個值。The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. 為了讓 Azure 將此子網路視為閘道子網路,需要有這個值。This value is required in order for Azure to recognize the subnet as the gateway subnet. 調整自動填入的 [位址範圍] 值,以符合您的組態需求。Adjust the auto-filled Address range values to match your configuration requirements. 請勿設定路由表或服務端點。Don't configure Route table or Service endpoints.

    新增子網路Adding the subnet

  5. 按一下頁面底部的 [確定] 以建立子網路。Click OK at the bottom of the page to create the subnet.

3.指定 DNS 伺服器 (選擇性)3. Specify a DNS server (optional)

建立虛擬網路之後,您可以新增 DNS 伺服器的 IP 位址,以便處理名稱解析。After you create your virtual network, you can add the IP address of a DNS server to handle name resolution. 在此此組態中,DNS 伺服器為選擇性,但如果您想要進行名稱解析則,為必要。The DNS server is optional for this configuration, but required if you want name resolution. 指定一個值並不會建立新的 DNS 伺服器。Specifying a value does not create a new DNS server. 您指定的 DNS 伺服器 IP 位址應該是可以解析您所連線之資源名稱的 DNS 伺服器。The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to. 在此範例中,我們使用了私人 IP 位址,但這可能不是您 DNS 伺服器的 IP 位址。For this example, we used a private IP address, but it is likely that this is not the IP address of your DNS server. 請務必使用您自己的值。Be sure to use your own values. 您指定的值會供部署至 VNet 的資源使用,而非供 P2S 連線或 VPN 用戶端使用。The value you specify is used by the resources that you deploy to the VNet, not by the P2S connection or the VPN client.

  1. 在您虛擬網路的 [設定] 頁面上, 流覽至 [ dns 伺服器], 然後按一下以開啟 [ dns 伺服器] 頁面。On the Settings page for your virtual network, navigate to DNS servers and click to open the DNS servers page.

    指定 DNS 伺服器Specify a DNS server

    • DNS 伺服器: 選取 [自訂]。DNS Servers: Select Custom.
    • 新增 DNS 伺服器: 輸入您想要用於名稱解析之 DNS 伺服器的 IP 位址。Add DNS server: Enter the IP address of the DNS server that you want to use for name resolution.
  2. 完成 DNS 伺服器新增時,按一下頁面頂端的 [儲存]。When you are done adding DNS servers, click Save at the top of the page.

4.建立虛擬網路閘道4. Create a virtual network gateway

  1. 在入口網站中的左側按一下 [+ 建立資源],並在搜尋中輸入「虛擬網路閘道」。In the portal, on the left side, click + Create a resource and type 'Virtual Network Gateway' in search. 在搜尋傳回的結果中找出虛擬網路閘道,然後按一下該項目。Locate Virtual network gateway in the search return and click the entry. 在 [虛擬網路閘道] 頁面上, 按一下 [建立]。On the Virtual network gateway page, click Create. 這會開啟 [建立虛擬網路閘道] 頁面。This opens the Create virtual network gateway page.

    建立虛擬網路閘道頁面欄位Create virtual network gateway page fields

    建立虛擬網路閘道頁面欄位Create virtual network gateway page fields

  2. 在 [建立虛擬網路閘道] 頁面上,填入您虛擬網路閘道的值。On the Create virtual network gateway page, fill in the values for your virtual network gateway.

    專案詳細資料Project details

    • 訂用帳戶:從下拉式清單中選取您想要使用的訂用帳戶。Subscription: Select the subscription you want to use from the dropdown.
    • 資源群組:當您在此頁面上選取您的虛擬網路時, 會自動填入此設定。Resource Group: This setting is autofilled when you select your virtual network on this page.

    實例詳細資料Instance details

    • 名稱:為您的閘道命名。Name: Name your gateway. 命名閘道的方式與命名閘道子網不同。Naming your gateway not the same as naming a gateway subnet. 這是您要建立之閘道物件的名稱。It's the name of the gateway object you are creating.

    • 區域:選取您要在其中建立此資源的區域。Region: Select the region in which you want to create this resource. 閘道的區域必須與虛擬網路相同。The region for the gateway must be the same as the virtual network.

    • 閘道類型:選取 [VPN]。Gateway type: Select VPN. VPN 閘道使用 VPN 虛擬網路閘道類型。VPN gateways use the virtual network gateway type VPN.

    • VPN 類型:選取針對您的組態指定的 VPN 類型。VPN type: Select the VPN type that is specified for your configuration. 大部分組態需要路由式 VPN 類型。Most configurations require a Route-based VPN type.

    • SKU:從下拉式清單中選取閘道 SKU。SKU: Select the gateway SKU from the dropdown. 下拉式清單中所列的 SKU 取決於您選取的 VPN 類型。The SKUs listed in the dropdown depend on the VPN type you select. 如需閘道 SKU 的詳細資訊,請參閱閘道 SKUFor more information about gateway SKUs, see Gateway SKUs.

      虛擬網路:選擇您要新增此閘道的虛擬網路。Virtual network: Choose the virtual network to which you want to add this gateway.

      閘道子網路位址範圍︰只有當您選取的虛擬網路沒有閘道子網時, 才會顯示此欄位。Gateway subnet address range: This field only appears if the virtual network you selected does not have a gateway subnet. 如果您還沒有閘道子網, 請填寫範圍。Fill in the range if you don't already have a gateway subnet. 可能的話, 請將範圍設為/27 或更大 (/26、/25 等)If possible, make the range /27 or larger (/26,/25 etc.)

    公用 IP 位址:此設定可指定會與 VPN 閘道建立關聯的公用 IP 位址物件。Public IP address: This setting specifies the public IP address object that gets associated to the VPN gateway. 建立 VPN 閘道時,系統會將公用 IP 位址動態指派給此物件。The public IP address is dynamically assigned to this object when the VPN gateway is created. VPN 閘道目前僅支援動態公用 IP 位址配置。VPN Gateway currently only supports Dynamic Public IP address allocation. 不過,這不表示 IP 位址變更之後已被指派至您的 VPN 閘道。However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. 公用 IP 位址只會在刪除或重新建立閘道時變更。The only time the Public IP address changes is when the gateway is deleted and re-created. 它不會因為重新調整、重設或 VPN 閘道的其他內部維護/升級而變更。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    • 公用 IP 位址:將 [新建] 保持選取。Public IP address: Leave Create new selected.
    • 公用 IP 位址名稱:在 [] 文字方塊中, 輸入公用 IP 位址實例的名稱。Public IP address name: In the text box, type a name for your public IP address instance.
    • 指派:VPN 閘道僅支援動態。Assignment: VPN gateway supports only Dynamic.

    主動-主動模式:只有當您要建立「主動-主動」閘道設定時,才選取 [啟用主動 - 主動模式]。Active-Active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. 否則,請不要選取此設定。Otherwise, leave this setting unselected.

    將 [設定 BGP ASN] 保持未選取 (除非您的設定特別需要此設定)。Leave Configure BGP ASN deselected, unless your configuration specifically requires this setting. 如果您需要此設定,預設的 ASN 為 65515,但這可以變更。If you do require this setting, the default ASN is 65515, although this can be changed.

  3. 按一下 [檢查 + 建立] 以執行驗證。Click Review + Create to run validation. 驗證通過後, 按一下 [建立] 以部署 VPN 閘道。Once validation passes, click Create to deploy the VPN gateway. 閘道最多可能需要45分鐘的時間, 才能完整建立和部署。A gateway can take up to 45 minutes to fully create and deploy. 您可以在閘道的 [總覽] 頁面上看到部署狀態。You can see the deployment status on the Overview page for your gateway.

建立閘道之後,您可以查看入口網站中的虛擬網路,來檢視已指派給閘道的 IP 位址。After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. 閘道會顯示為已連接的裝置。The gateway appears as a connected device.

注意

基本閘道 SKU 不支援 IKEv2 或 RADIUS 驗證。The Basic gateway SKU does not support IKEv2 or RADIUS authentication. 如果您打算讓 Mac 用戶端連線到您的虛擬網路, 請勿使用基本 SKU。If you plan on having Mac clients connect to your virtual network, do not use the Basic SKU.

5.產生憑證5. Generate certificates

憑證是 Azure 用於驗證透過點對站 VPN 連線來連線至 VNet 的用戶端。Certificates are used by Azure to authenticate clients connecting to a VNet over a Point-to-Site VPN connection. 一旦您取得根憑證,您可將公開金鑰資訊上傳至 Azure。Once you obtain a root certificate, you upload the public key information to Azure. 根憑證則會被視為 Azure「信任的」,可供透過 P2S 連線至虛擬網路。The root certificate is then considered 'trusted' by Azure for connection over P2S to the virtual network. 您也可以從受信任的根憑證產生用戶端憑證,然後將它們安裝在每部用戶端電腦上。You also generate client certificates from the trusted root certificate, and then install them on each client computer. 在用戶端初始 VNet 連線時,用戶端憑證用來驗證用戶端。The client certificate is used to authenticate the client when it initiates a connection to the VNet.

1.取得根憑證的 .cer 檔案1. Obtain the .cer file for the root certificate

使用透過企業解決方案產生的根憑證 (建議),或產生自我簽署憑證。Use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate. 建立根憑證之後,將公開憑證資料 (不是私密金鑰) 匯出為 Base64 編碼的 X.509 .cer 檔案。After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. 然後,將公開憑證資料上傳至 Azure 伺服器。Then, upload the public certificate data to the Azure server.

  • 企業憑證︰ 如果您是使用企業解決方案,則可以使用現有的憑證鏈結。Enterprise certificate: If you're using an enterprise solution, you can use your existing certificate chain. 取得您想要使用的根憑證 .cer 檔案。Acquire the .cer file for the root certificate that you want to use.

  • 自我簽署根憑證: 如果您未使用企業憑證解決方案,請建立自我簽署的根憑證。Self-signed root certificate: If you aren't using an enterprise certificate solution, create a self-signed root certificate. 否則,您所建立的憑證將無法與 P2S 連線相容,而且用戶端會在嘗試連線時收到連線錯誤訊息。Otherwise, the certificates you create won't be compatible with your P2S connections and clients will receive a connection error when they try to connect. 您可以使用 Azure PowerShell、MakeCert 或 OpenSSL。You can use Azure PowerShell, MakeCert, or OpenSSL. 下列文章中的步驟將說明如何產生相容的自我簽署根憑證:The steps in the following articles describe how to generate a compatible self-signed root certificate:

    • Windows 10 PowerShell 指示:這些指示需要 Windows 10 和 PowerShell,以產生憑證。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 從根憑證產生的用戶端憑證可以安裝於任何支援的 P2S 用戶端上。Client certificates that are generated from the root certificate can be installed on any supported P2S client.
    • MakeCert 指示:如果您無法存取 Windows 10 電腦來產生憑證,則可使用 MakeCert。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to generate certificates. 雖然 MakeCert 已被取代,但您仍可用它來產生憑證。Although MakeCert is deprecated, you can still use it to generate certificates. 從根憑證產生的用戶端憑證可以安裝於任何支援的 P2S 用戶端上。Client certificates that you generate from the root certificate can be installed on any supported P2S client.
    • Linux 指示Linux instructions

2.產生用戶端憑證2. Generate a client certificate

每個使用點對站連線來連線至 VNet 的用戶端電腦都必須安裝用戶端憑證。Each client computer that you connect to a VNet with a Point-to-Site connection must have a client certificate installed. 您會從根憑證產生用戶端憑證,並將其安裝在每部用戶端電腦上。You generate it from the root certificate and install it on each client computer. 如果您沒有安裝有效的用戶端憑證,用戶端嘗試連線至 VNet 時所進行的驗證將會失敗。If you don't install a valid client certificate, authentication will fail when the client tries to connect to the VNet.

您可以為每個用戶端產生唯一的憑證,也可以對多個用戶端使用相同的憑證。You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. 產生唯一用戶端憑證的優點是能夠撤銷單一憑證。The advantage to generating unique client certificates is the ability to revoke a single certificate. 否則,如果多個用戶端使用相同的用戶端憑證進行驗證,而您要撤銷它時,就必須為每個使用該憑證的用戶端產生並安裝新的憑證。Otherwise, if multiple clients use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for every client that uses that certificate.

您可以使用下列方法來產生用戶端憑證︰You can generate client certificates by using the following methods:

  • 企業憑證︰Enterprise certificate:

    • 如果您使用企業憑證解決方案,產生一般的名稱值格式的用戶端憑證名稱@yourdomain.comIf you're using an enterprise certificate solution, generate a client certificate with the common name value format name@yourdomain.com. 請使用此格式,而不是「網域名稱\使用者名稱」 的格式。Use this format instead of the domain name\username format.
    • 請確定用戶端憑證所根據的憑證範本,是將「用戶端驗證」 列為使用者清單中第一個項目的使用者憑證範本。Make sure the client certificate is based on a user certificate template that has Client Authentication listed as the first item in the user list. 按兩下憑證,然後檢視 [詳細資料] 索引標籤中的 [增強金鑰使用方法] ,即可檢查憑證。Check the certificate by double-clicking it and viewing Enhanced Key Usage in the Details tab.
  • 自我簽署根憑證: 請遵循下列任一 P2S 憑證文章中的步驟,讓您建立的用戶端憑證可與 P2S 連線相容。Self-signed root certificate: Follow the steps in one of the following P2S certificate articles so that the client certificates you create will be compatible with your P2S connections. 這些文章中的步驟都會產生相容的用戶端憑證:The steps in these articles generate a compatible client certificate:

    • Windows 10 PowerShell 指示:這些指示需要 Windows 10 和 PowerShell,以產生憑證。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 產生的憑證可以安裝在任何支援的 P2S 用戶端。The generated certificates can be installed on any supported P2S client.
    • MakeCert 指示:如果您無法存取 Windows 10 電腦來產生憑證,則可以使用 MakeCert。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer for generating certificates. 雖然 MakeCert 已被取代,但您仍可用它來產生憑證。Although MakeCert is deprecated, you can still use it to generate certificates. 您可以將產生的憑證安裝在任何支援的 P2S 用戶端。You can install the generated certificates on any supported P2S client.
    • Linux 指示Linux instructions

    當您從自我簽署根憑證產生用戶端憑證時,此憑證會自動安裝在您用來產生它的電腦上。When you generate a client certificate from a self-signed root certificate, it's automatically installed on the computer that you used to generate it. 如果您想要在另一部用戶端電腦上安裝用戶端憑證,請將其匯出為 .pfx 檔案 (包含整個憑證鏈結)。If you want to install a client certificate on another client computer, export it as a .pfx file, along with the entire certificate chain. 這麼做將會建立一個 .pfx 檔案,其中包含用戶端進行驗證所需的根憑證資訊。Doing so will create a .pfx file that contains the root certificate information required for the client to authenticate.

匯出憑證To export the certificate

如需匯出憑證的步驟,請參閱使用 PowerShell 來產生並匯出點對站的憑證For steps to export a certificate, see Generate and export certificates for Point-to-Site using PowerShell.

6.新增用戶端位址集區6. Add the client address pool

用戶端位址集區是您指定的私人 IP 位址範圍。The client address pool is a range of private IP addresses that you specify. 透過點對站 VPN 連線的用戶端會動態收到這個範圍內的 IP 位址。The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range. 使用不會重疊的私人 IP 位址範圍搭配您從其連線的內部部署位置,或搭配您要連線至的 VNet。Use a private IP address range that does not overlap with the on-premises location that you connect from, or the VNet that you want to connect to.

  1. 一旦建立虛擬網路閘道,請瀏覽至虛擬網路閘道頁面的 [設定] 區段。Once the virtual network gateway has been created, navigate to the Settings section of the virtual network gateway page. 在 [設定] 區段中,按一下 [點對站組態]。In the Settings section, click Point-to-site configuration.

    點對站頁面

  2. 按一下 [立即設定] 以開啟 [組態] 頁面。Click Configure now to open the configuration page.

    立即設定

  3. 在 [點對站] 組態頁面上的 [位址集區] 方塊中,新增您要使用的私人 IP 位址範圍。On the Point-to-site configuration page, in the Address pool box, add the private IP address range that you want to use. VPN 用戶端會動態收到您指定範圍內的 IP 位址。VPN clients dynamically receive an IP address from the range that you specify. 主動/被動的最小子網路遮罩為29位, 主動/主動設定則為28位。The minimum subnet mask is 29 bit for active/passive and 28 bit for active/active configuration. 按一下 [儲存] 來驗證和儲存設定。Click Save to validate and save the setting.

    用戶端位址集區

    注意

    如果您在入口網站的這個頁面上沒看到 [通道] 類型或 [驗證] 類型,則您的閘道是使用基本 SKU。If you don't see Tunnel type or Authentication type in the portal on this page, your gateway is using the Basic SKU. 基本 SKU 不支援 IKEv2 或 RADIUS 驗證。The Basic SKU does not support IKEv2 or RADIUS authentication.

7.設定通道類型7. Configure tunnel type

您可以選取通道類型。You can select the tunnel type. 通道選項為 OpenVPN、SSTP 和 IKEv2。The tunnel options are OpenVPN, SSTP and IKEv2. Android 和 Linux 上的 strongSwan 用戶端以及 iOS 和 OSX 上的原生 IKEv2 VPN 用戶端只會使用 IKEv2 通道來進行連線。The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only IKEv2 tunnel to connect. Windows 用戶端會先嘗試 IKEv2,如果無法連線,就會切換回使用 SSTP。Windows clients try IKEv2 first and if that doesn’t connect, they fall back to SSTP. 您可以使用 OpenVPN 用戶端連接到 OpenVPN 通道類型。You can use the OpenVPN client to connect to the OpenVPN tunnel type.

通道類型

8.設定驗證類型8. Configure authentication type

選取 [Azure 憑證]。Select Azure certificate.

通道類型

9.上傳根憑證公開憑證資料9. Upload the root certificate public certificate data

您可以上傳其他受信任的根憑證檔案 (最多總計 20 個憑證)。You can upload additional trusted root certificates up to a total of 20. 一旦上傳公開憑證資料,Azure 就可以使用它來驗證已安裝從受信任根憑證產生之用戶端憑證的用戶端。Once the public certificate data is uploaded, Azure can use it to authenticate clients that have installed a client certificate generated from the trusted root certificate. 將根憑證的公開金鑰資訊上傳至 Azure。Upload the public key information for the root certificate to Azure.

  1. 新增憑證時,是在 [點對站組態] 頁面的 [根憑證] 區段中新增。Certificates are added on the Point-to-site configuration page in the Root certificate section.

  2. 請確定您以 Base-64 編碼 X.509 (.cer) 檔案形式匯出根憑證。Make sure that you exported the root certificate as a Base-64 encoded X.509 (.cer) file. 您需要以這種格式匯出憑證,以便可以使用文字編輯器開啟憑證。You need to export the certificate in this format so you can open the certificate with text editor.

  3. 使用文字編輯器 (例如「記事本」) 開啟憑證。Open the certificate with a text editor, such as Notepad. 複製憑證資料時,請確定您是以連續一行的形式複製文字,而不含歸位字元或換行字元。When copying the certificate data, make sure that you copy the text as one continuous line without carriage returns or line feeds. 您可能必須將文字編輯器中的檢視修改成 [顯示符號] 或 [顯示所有字元],才能看到歸位字元和換行字元。You may need to modify your view in the text editor to 'Show Symbol/Show all characters' to see the carriage returns and line feeds. 請只以連續一行的形式複製下列區段:Copy only the following section as one continuous line:

    憑證資料

  4. 將憑證資料貼到 [公開憑證資料] 欄位中。Paste the certificate data into the Public Certificate Data field. 提供憑證「名稱」,然後按一下 [儲存]。Name the certificate, and then click Save. 您最多可新增 20 個受信任的根憑證。You can add up to 20 trusted root certificates.

    憑證上傳

  5. 按一下頁面頂端的 [儲存],以儲存所有的組態設定。Click Save at the top of the page to save all of the configuration settings.

    儲存

10.安裝匯出的用戶端憑證10. Install an exported client certificate

如果您想要從不同於用來產生用戶端憑證的用戶端電腦建立 P2S 連線,您需要安裝用戶端憑證。If you want to create a P2S connection from a client computer other than the one you used to generate the client certificates, you need to install a client certificate. 安裝用戶端憑證時,您需要匯出用戶端憑證時所建立的密碼。When installing a client certificate, you need the password that was created when the client certificate was exported.

請確定用戶端憑證已隨著整個憑證鏈結匯出為 .pfx (這是預設值)。Make sure the client certificate was exported as a .pfx along with the entire certificate chain (which is the default). 否則,根憑證資訊不存在於用戶端電腦上,而且用戶端將無法正確驗證。Otherwise, the root certificate information isn't present on the client computer and the client won't be able to authenticate properly.

如需安裝步驟,請參閱安裝用戶端憑證For install steps, see Install a client certificate.

11.產生和安裝 VPN 用戶端組態套件11. Generate and install the VPN client configuration package

VPN 用戶端組態檔所包含的設定,可用來將裝置設定為透過 P2S 連線來連線至 VNet。The VPN client configuration files contain settings to configure devices to connect to a VNet over a P2S connection. 如需產生和安裝 VPN 用戶端組態檔的指示,請參閱建立和安裝適用於原生 Azure 憑證驗證 P2S 組態的 VPN 用戶端組態檔For instructions to generate and install VPN client configuration files, see Create and install VPN client configuration files for native Azure certificate authentication P2S configurations.

12.連線至 Azure12. Connect to Azure

從 Windows VPN 用戶端連線To connect from a Windows VPN client

注意

您必須在您所連線的 Windows 用戶端電腦上具有系統管理員權限。You must have Administrator rights on the Windows client computer from which you are connecting.

  1. 若要連接至您的 VNet,在用戶端電腦上瀏覽到 VPN 連線,然後找出所建立的 VPN 連線。To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN connection that you created. 其名稱會與虛擬網路相同。It is named the same name as your virtual network. 按一下 [連接]Click Connect. 可能會出現與使用憑證有關的快顯訊息。A pop-up message may appear that refers to using the certificate. 按一下 [繼續] 以使用較高的權限。Click Continue to use elevated privileges.

  2. 在 [連線] 狀態頁面上,按一下 [連線] 以便開始連線。On the Connection status page, click Connect to start the connection. 如果出現 [選取憑證] 畫面,請確認顯示的用戶端憑證是要用來連接的憑證。If you see a Select Certificate screen, verify that the client certificate showing is the one that you want to use to connect. 如果沒有,請使用下拉箭頭來選取正確的憑證,然後按一下 [確定]。If it is not, use the drop-down arrow to select the correct certificate, and then click OK.

    VPN 用戶端連線至 Azure

  3. 已建立您的連線。Your connection is established.

    連線已建立

針對 Windows P2S 連線進行疑難排解Troubleshoot Windows P2S connections

如果您連線時遇到問題,請檢查下列項目︰If you have trouble connecting, check the following items:

  • 如果您已使用憑證匯出精靈來匯出用戶端憑證,請確定您已將其匯出為 .pfx 檔案,並且已選取 [如果可能的話,包含憑證路徑中的所有憑證] 。If you exported a client certificate with Certificate Export Wizard, make sure that you exported it as a .pfx file and selected Include all certificates in the certification path if possible. 當您使用此值匯出它時,根憑證資訊也會一併匯出。When you export it with this value, the root certificate information is also exported. 當您在用戶端電腦上安裝憑證後,.pfx 檔案中的根憑證也會一併安裝。After you install the certificate on the client computer, the root certificate in the .pfx file is also installed. 若要確認是否已安裝根憑證,可開啟 [管理使用者憑證] ,然後選取 Trusted Root Certification Authorities\CertificatesTo verify that the root certificate is installed, open Manage user certificates and select Trusted Root Certification Authorities\Certificates. 確認其中已列出根憑證,如此才能讓驗證正常運作。Verify that the root certificate is listed, which must be present for authentication to work.

  • 如果您使用由企業 CA 解決方案簽發的憑證,但您無法進行驗證,請檢查用戶端憑證上的驗證順序。If you used a certificate that was issued by an Enterprise CA solution and you can't authenticate, verify the authentication order on the client certificate. 按兩下用戶端憑證,依序選取 [詳細資料] 索引標籤和 [增強金鑰使用方法] ,即可檢查驗證清單順序。Check the authentication list order by double-clicking the client certificate, selecting the Details tab, and then selecting Enhanced Key Usage. 請確定清單中的第一個項目是「用戶端驗證」 。Make sure Client Authentication is the first item in the list. 如果不是,請根據以「用戶端驗證」 作為清單中第一個項目的「使用者」範本來簽發用戶端憑證。If it isn't, issue a client certificate based on the user template that has Client Authentication as the first item in the list.

  • 如需其他 P2S 疑難排解詳細資訊,請參閱針對 P2S 連線進行疑難排解For additional P2S troubleshooting information, see Troubleshoot P2S connections.

從 Mac VPN 用戶端連線To connect from a Mac VPN client

從 [網路] 對話方塊,找出您要使用的用戶端設定檔,指定 VpnSettings.xml 中的設定,然後按一下 [連線]。From the Network dialog box, locate the client profile that you want to use, specify the settings from the VpnSettings.xml, and then click Connect.

如需詳細指示,請參閱安裝 - Mac (OS X)Check Install - Mac (OS X) for detailed instructions. 如果您在連線時發生問題,請確認虛擬網路閘道不是使用「基本」SKU。If you are having trouble connecting, verify that the virtual network gateway is not using a Basic SKU. 針對 Mac 用戶端不支援「基本」SKU。Basic SKU is not supported for Mac clients.

Mac 連線

驗證您的連線To verify your connection

這些指示適用於 Windows 用戶端。These instructions apply to Windows clients.

  1. 若要驗證您的 VPN 連線為作用中狀態,請開啟提升權限的命令提示字元,並執行 ipconfig/allTo verify that your VPN connection is active, open an elevated command prompt, and run ipconfig/all.

  2. 檢視結果。View the results. 請注意,您接收到的 IP 位址是您在組態中指定的點對站 VPN 用戶端位址集區中的其中一個位址。Notice that the IP address you received is one of the addresses within the Point-to-Site VPN Client Address Pool that you specified in your configuration. 結果類似於此範例:The results are similar to this example:

    PPP adapter VNet1:
       Connection-specific DNS Suffix .:
       Description.....................: VNet1
       Physical Address................:
       DHCP Enabled....................: No
       Autoconfiguration Enabled.......: Yes
       IPv4 Address....................: 172.16.201.3(Preferred)
       Subnet Mask.....................: 255.255.255.255
       Default Gateway.................:
       NetBIOS over Tcpip..............: Enabled
    

連線至虛擬機器To connect to a virtual machine

這些指示適用於 Windows 用戶端。These instructions apply to Windows clients.

您可以建立 VM 的遠端桌面連線,以連線至已部署至 VNet 的 VM。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 一開始確認您可以連線至 VM 的最佳方法是使用其私人 IP 位址 (而不是電腦名稱) 進行連線。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 這樣一來,您會測試以查看您是否可以連線,而不是否已正確設定名稱解析。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 找出私人 IP 位址。Locate the private IP address. 在 Azure 入口網站中或使用 PowerShell 查看 VM 的屬性,即可找到 VM 的私人 IP 位址。You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.

    • Azure 入口網站 - 在 Azure 入口網站中尋找您的虛擬機器。Azure portal - Locate your virtual machine in the Azure portal. 檢視 VM 的屬性。View the properties for the VM. 系統會列出私人 IP 位址。The private IP address is listed.

    • PowerShell - 使用範例來檢視資源群組中的 VM 和私人 IP 位址清單。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 使用此範例前,您不需要加以修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. 確認您已使用點對站 VPN 連線來連線至 VNet。Verify that you are connected to your VNet using the Point-to-Site VPN connection.

  3. 在工作列上的搜尋方塊中輸入「RDP」或「遠端桌面連線」以開啟遠端桌面連線,然後選取 [遠端桌面連線] 。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 您也可以使用 PowerShell 中的 'mstsc' 命令開啟遠端桌面連線。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在 [遠端桌面連線] 中,輸入 VM 的私人 IP 位址。In Remote Desktop Connection, enter the private IP address of the VM. 您可以按一下 [顯示選項] 來調整其他設定,然後進行連線。You can click "Show Options" to adjust additional settings, then connect.

針對 VM 的 RDP 連線進行疑難排解To troubleshoot an RDP connection to a VM

如果您無法透過 VPN 連線與虛擬機器連線,請檢查下列各項:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 確認您的 VPN 連線成功。Verify that your VPN connection is successful.
  • 確認您是連線至 VM 的私人 IP 位址。Verify that you are connecting to the private IP address for the VM.
  • 請使用 'ipconfig' 來檢查指派給所連線電腦上的乙太網路介面卡之 IPv4 位址。Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are connecting. 如果 IP 位址位在您要連線的 VNet 位址範圍內,或在您 VPNClientAddressPool 的位址範圍內,這稱為重疊位址空間。If the IP address is within the address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. 當您的位址空間以這種方式重疊時,網路流量不會連線到 Azure,它會保留在本機網路上。When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
  • 如果您可以使用私人 IP 位址 (而非電腦名稱) 來連線至 VM,請確認您已正確設定 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 如需 VM 的名稱解析運作方式的詳細資訊,請參閱 VM 的名稱解析For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • 請確認 VPN 用戶端設定套件是在針對 VNet 指定的 DNS 伺服器 IP 位址之後產生。Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the VNet. 如果您已更新 DNS 伺服器 IP 位址,請產生並安裝新的 VPN 用戶端設定套件。If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.
  • 如需 RDP 連線的詳細資訊,請參閱針對 VM 的遠端桌面連線進行疑難排解For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

新增或移除受信任的根憑證To add or remove trusted root certificates

您可以從 Azure 新增和移除受信任的根憑證。You can add and remove trusted root certificates from Azure. 當您移除根憑證時,從該根憑證產生憑證的用戶端將無法進行驗證,因而無法進行連線。When you remove a root certificate, clients that have a certificate generated from that root won't be able to authenticate, and thus will not be able to connect. 若希望用戶端進行驗證和連線,您需要安裝從 Azure 信任 (已上傳至 Azure) 的根憑證產生的新用戶端憑證。If you want a client to authenticate and connect, you need to install a new client certificate generated from a root certificate that is trusted (uploaded) to Azure.

若要新增受信任的根憑證To add a trusted root certificate

您最多可新增 20 個受信任的根憑證 .cer 檔案至 Azure。You can add up to 20 trusted root certificate .cer files to Azure. 如需指示,請參閱這篇文章的上傳受信任的根憑證一節。For instructions, see the section Upload a trusted root certificate in this article.

移除受信任的根憑證To remove a trusted root certificate

  1. 若要移除受信任的根憑證,瀏覽至虛擬網路閘道的 [點對站組態] 頁面。To remove a trusted root certificate, navigate to the Point-to-site configuration page for your virtual network gateway.
  2. 在頁面的 [根憑證] 區段中,找出您想要移除的憑證。In the Root certificate section of the page, locate the certificate that you want to remove.
  3. 按一下憑證旁邊的省略符號,然後按一下 [移除]。Click the ellipsis next to the certificate, and then click 'Remove'.

撤銷用戶端憑證To revoke a client certificate

您可以撤銷用戶端憑證。You can revoke client certificates. 憑證撤銷清單可讓您選擇性地拒絕以個別的用戶端憑證為基礎的點對站連線。The certificate revocation list allows you to selectively deny Point-to-Site connectivity based on individual client certificates. 這與移除受信任的根憑證不同。This is different than removing a trusted root certificate. 若您從 Azure 移除受信任的根憑證 .cer,就會撤銷所有由撤銷的根憑證所產生/簽署的用戶端憑證之存取權。If you remove a trusted root certificate .cer from Azure, it revokes the access for all client certificates generated/signed by the revoked root certificate. 撤銷用戶端憑證,而不是根憑證,可以繼續使用從根憑證產生的憑證進行驗證。Revoking a client certificate, rather than the root certificate, allows the other certificates that were generated from the root certificate to continue to be used for authentication.

常見的做法是使用根憑證管理小組或組織層級的存取權,然後使用撤銷的用戶端憑證針對個別使用者進行細部的存取控制。The common practice is to use the root certificate to manage access at team or organization levels, while using revoked client certificates for fine-grained access control on individual users.

撤銷用戶端憑證Revoke a client certificate

您可以藉由將指紋新增至撤銷清單來撤銷用戶端憑證。You can revoke a client certificate by adding the thumbprint to the revocation list.

  1. 擷取用戶端憑證指紋。Retrieve the client certificate thumbprint. 如需詳細資訊,請參閱做法:擷取憑證的指紋For more information, see How to retrieve the Thumbprint of a Certificate.
  2. 將資訊複製到文字編輯器,並移除所有的空格,讓它是連續字串。Copy the information to a text editor and remove all spaces so that it is a continuous string.
  3. 瀏覽至虛擬網路閘道 [點對站組態] 頁面。Navigate to the virtual network gateway Point-to-site-configuration page. 這個頁面與您用來上傳受信任根憑證的頁面相同。This is the same page that you used to upload a trusted root certificate.
  4. 在 [撤銷憑證] 區段中,輸入憑證的易記名稱 (它不一定是憑證 CN)。In the Revoked certificates section, input a friendly name for the certificate (it doesn't have to be the certificate CN).
  5. 將指紋字串複製並貼上到 [指紋]欄位。Copy and paste the thumbprint string to the Thumbprint field.
  6. 指紋會進行驗證,並且自動新增至撤銷清單。The thumbprint validates and is automatically added to the revocation list. 畫面上會出現一則訊息,指出清單正在更新。A message appears on the screen that the list is updating.
  7. 更新完成之後,憑證無法再用於連線。After updating has completed, the certificate can no longer be used to connect. 嘗試使用此憑證進行連線的用戶端會收到訊息,指出憑證不再有效。Clients that try to connect using this certificate receive a message saying that the certificate is no longer valid.

點對站常見問題集Point-to-Site FAQ

在我的點對站台組態中可以有多少個 VPN 用戶端端點?How many VPN client endpoints can I have in my Point-to-Site configuration?

這取決於閘道 SKU。It depends on the gateway SKU. 如需支援連線數量的詳細資訊,請參閱閘道 SKUFor more information on the number of connections supported, see Gateway SKUs.

可以使用哪些用戶端作業系統來搭配點對站?What client operating systems can I use with Point-to-Site?

以下為支援的用戶端作業系統:The following client operating systems are supported:

  • Windows 7 (32 位元和 64 位元)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2 (僅限 64 位元)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1 (32 位元和 64 位元)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012 (僅限 64 位元)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2 (僅限 64 位元)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016 (僅限 64 位元)Windows Server 2016 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 10.11 版或更新版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

注意

從 2018 年 7 月 1 日起,對 TLS 1.0 和 1.1 的支援將會從 Azure VPN 閘道移除。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 閘道僅支援 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要保有支援,請參閱用以啟用 TLS 1.2 支援的更新To maintain support, see the updates to enable support for TLS1.2.

此外,下列舊版演算法也會在 2018 年 7 月 1 日針對 TLS 取代:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES (資料加密演算法)DES (Data Encryption Algorithm)
  • 3DES (三重資料加密演算法)3DES (Triple Data Encryption Algorithm)
  • MD5 (訊息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中啟用 TLS 1.2 支援?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 以滑鼠右鍵按一下 [命令提示字元] ,然後選取 [以系統管理員身分執行] ,以使用較高的權限開啟命令提示字元。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 在命令提示字元中執行下列命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安裝下列更新:Install the following updates:

  4. 重新啟動電腦。Reboot the computer.

  5. 連線至 VPN。Connect to the VPN.

注意

如果您執行較舊版本的 Windows 10 (10240),就必須設定上述登錄機碼。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

是否可以使用點對站台功能周遊 Proxy 和防火牆?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支援三種類型的點對站 VPN 選項:Azure supports three types of Point-to-site VPN options:

  • 安全通訊端通道通訊協定 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 專屬 SSL 型解決方案,可以穿透防火牆,因為大部分防火牆都會開啟 443 SSL 所使用的輸出 TCP 連接埠。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN。OpenVPN. OpenVPN 是以 SSL 為基礎的解決方案,可以穿透防火牆,因為大部分防火牆都會開啟 443 SSL 所使用的輸出 TCP 連接埠。OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是標準型的 IPsec VPN 解決方案,不會使用輸出的 UDP 連接埠 500 和 4500 以及 IP 通訊協定。IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50.50. 防火牆不一定會開啟這些連接埠,因此 IKEv2 VPN 有可能無法周遊 Proxy 和防火牆。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果我重新啟動針對點對站台設定的用戶端電腦,VPN 將自動重新連線嗎?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

用戶端電腦預設為不會自動重新建立 VPN 連線。By default, the client computer will not reestablish the VPN connection automatically.

在 VPN 用戶端上點對站台支援自動重新連接和 DDNS 嗎?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

點對站台 VPN 目前不支援自動重新連接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

對於相同的虛擬網路,網站間和點對站台組態是否可以同時存在?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

是的。Yes. 如果是 Resource Manager 部署模型,您的閘道必須是路由式 VPN 類型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 如果是傳統部署模型,則需要動態閘道。For the classic deployment model, you need a dynamic gateway. 靜態路由 VPN 閘道或原則式 VPN 閘道不支援點對站。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

是否可以將點對站台用戶端設定為同時連接到多個虛擬網路?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

資料分割No. 點對站用戶端只能連線到虛擬網路閘道所在的 VNet 中的資源。A Point-to-Site client can only connect to resources in the VNet in which the virtual network gateway resides.

透過網站間或點對站台連線可以獲得多少輸送量?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很難維護 VPN 通道的確切輸送量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 為加密嚴謹的 VPN 通訊協定。IPsec and SSTP are crypto-heavy VPN protocols. 輸送量也會受限於內部部署與網際網路之間的延遲和頻寬。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 對於只有 IKEv2 點對站 VPN 連線的 VPN 閘道,您可以預期的總輸送量取決於閘道 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 如需輸送量的詳細資訊,請參閱閘道 SKUFor more information on throughput, see Gateway SKUs.

是否可以對支援 SSTP 和 (或) IKEv2 的點對站使用任何軟體 VPN 用戶端?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

資料分割No. 在 Windows 上,您只能對 SSTP 使用原生 VPN 用戶端,而在 Mac 上,則只能對 IKEv2 使用原生 VPN 用戶端。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 不過,您可以在所有平台上使用 OpenVPN 用戶端,透過 OpenVPN 通訊協定連線。However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. 請參閱支援的用戶端作業系統清單。Refer to the list of supported client operating systems.

Azure 支援採用 Windows 的 IKEv2 VPN 嗎?Does Azure support IKEv2 VPN with Windows?

Windows 10 和 Server 2016 都支援 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 不過,若要使用 IKEv2,您必須在本機安裝更新並設定登錄機碼值。However, in order to use IKEv2, you must install updates and set a registry key value locally. 在 Windows 10 之前的作業系統版本不支援,且只能使用 SSTP 或OpenVPN® 通訊協定OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

若要針對 IKEv2 準備 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安裝更新。Install the update.

    作業系統版本OS version DateDate 號碼/連結Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 設定登錄機碼值。Set the registry key value. 在登入中建立 “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD 機碼或將其設定為 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

當我設定 SSTP 和 IKEv2 以便進行 P2S VPN 連線時,會發生什麼狀況?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

當您在混合環境 (包含 Windows 和 Mac 裝置) 中設定 SSTP 和 IKEv2 時,Windows VPN 用戶端一律會先嘗試 IKEv2 通道,但如果 IKEv2 連線失敗,則會回復為 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 只可透過 IKEv2 連線。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 還支援哪些其他平台使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支援適用於 P2S VPN 的 Windows、Mac 和 Linux。Azure supports Windows, Mac and Linux for P2S VPN.

我已經部署 Azure VPN 閘道。I already have an Azure VPN Gateway deployed. 可以在其上啟用 RADIUS 及/或 IKEv2 VPN 嗎?Can I enable RADIUS and/or IKEv2 VPN on it?

可以,您可以使用 Powershell 或 Azure 入口網站,在已經部署的閘道上啟用這些新功能,但前提是您使用的閘道 SKU 可支援 RADIUS 及/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 閘道基本 SKU 不支援 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

我可以使用自己的內部 PKI 根 CA 來產生點對站連線的憑證嗎?Can I use my own internal PKI root CA to generate certificates for Point-to-Site connectivity?

是的。Yes. 先前只能使用自我簽署的根憑證。Previously, only self-signed root certificates could be used. 您仍然可以上傳 20 個根憑證。You can still upload 20 root certificates.

我可以使用來自 Azure Key Vault 的憑證嗎?Can I use certificates from Azure Key Vault?

資料分割No.

我可以使用哪些工具來建立憑證?What tools can I use to create certificates?

您可以使用 Enterprise PKI 解決方案 (您的內部 PKI)、Azure PowerShell、MakeCert 和 OpenSSL。You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.

是否有憑證設定及參數的指示?Are there instructions for certificate settings and parameters?

  • 內部 PKI/企業 PKI 解決方案: 請參閱產生憑證的步驟。Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.

  • Azure PowerShell: 如需步驟, 請參閱Azure PowerShell一文。Azure PowerShell: See the Azure PowerShell article for steps.

  • MakeCert如需步驟, 請參閱MakeCert一文。MakeCert: See the MakeCert article for steps.

  • OpenSSL:OpenSSL:

    • 匯出憑證時,請務必將根憑證轉換為 Base64。When exporting certificates, be sure to convert the root certificate to Base64.

    • 針對用戶端憑證:For the client certificate:

      • 建立私密金鑰時,請將長度指定為 4096。When creating the private key, specify the length as 4096.
      • 建立憑證時,針對 -extensions 參數,請指定 usr_cert。When creating the certificate, for the -extensions parameter, specify usr_cert.

後續步驟Next steps

一旦完成您的連接,就可以將虛擬機器加入您的虛擬網路。Once your connection is complete, you can add virtual machines to your virtual networks. 如需詳細資訊,請參閱虛擬機器For more information, see Virtual Machines. 若要了解網路與虛擬機器的詳細資訊,請參閱 Azure 與 Linux VM 網路概觀To understand more about networking and virtual machines, see Azure and Linux VM network overview.

如需有關為 P2S 疑難排解的資訊,請參閱針對 Azure 點對站連線進行疑難排解For P2S troubleshooting information, Troubleshooting Azure point-to-site connections.