IPsec IKE Policy-Based VPN with Azure VPN Gateway
Overview
Policy-based VPNs, also known as site-to-site VPNs, are a common method for establishing secure connections between on-premises networks and Azure. Azure VPN Gateway supports both policy-based and route-based VPNs. This article focuses on the configuration and considerations for policy-based VPNs using Internet Key Exchange (IKE).
What is a Policy-Based VPN?
A policy-based VPN creates tunnels based on predefined traffic selectors (policies). These policies define which IP address ranges are encrypted and sent through the VPN tunnel. Unlike route-based VPNs that use dynamic routing protocols, policy-based VPNs create multiple tunnels, one for each defined policy. This can lead to a more complex configuration but offers granular control over traffic flow.
Key Concepts
- IPsec (Internet Protocol Security): A suite of protocols used to secure IP communications by authenticating and encrypting each IP packet of a communication session.
- IKE (Internet Key Exchange): A protocol used to set up a Security Association (SA) for IPsec. IKE negotiates the cryptographic algorithms, keys, and other parameters for the IPsec tunnel.
- Security Association (SA): A unidirectional communication session between two endpoints that defines the security parameters for IPsec, such as encryption and authentication algorithms.
- Traffic Selectors: In policy-based VPNs, traffic selectors are defined on both the Azure VPN Gateway and the on-premises VPN device. They specify the source and destination IP address ranges that will be encrypted and routed through the tunnel.
IKE Version 1 (IKEv1) and IKE Version 2 (IKEv2)
Azure VPN Gateway supports both IKEv1 and IKEv2. While IKEv1 is widely compatible with older on-premises devices, IKEv2 offers improved reliability, performance, and security features.
IKEv1 Phases:
- Phase 1: Establishes a secure channel for negotiation (IKE SA).
- Phase 2: Establishes the IPsec SA for data encryption.
IKEv2 Benefits:
- Simplified negotiation process.
- Better handling of network changes (e.g., IP address changes).
- Enhanced security features.
- Faster rekeying of IPsec tunnels.
Configuring a Policy-Based VPN in Azure
When configuring a policy-based VPN, you define a "local network" and a "remote network" representing your on-premises IP address spaces. The VPN device on your premises must be configured with corresponding policies that match these definitions.
Azure VPN Gateway Settings:
- Gateway Type: VPN
- VPN Type: PolicyBased
- IPsec/IKE Policy: Choose between Default or Custom. Custom allows you to specify encryption and integrity algorithms, Diffie-Hellman groups, and lifetimes for Phase 1 and Phase 2.
Common IPsec/IKE Parameters
When using custom policies, you will need to define the following parameters:
- Encryption Algorithms: AES256, AES128, etc.
- Integrity Algorithms: SHA256, SHA1, MD5, etc.
- Diffie-Hellman (DH) Groups: Group14, Group2, Group24, ECP256, ECP384, etc.
- IKE SA Lifetime: Duration for the Phase 1 SA.
- IPsec SA Lifetime: Duration for the Phase 2 SA (data tunnel).
- PFS (Perfect Forward Secrecy): Enables PFS for enhanced security.
Refer to the Azure VPN Gateway IPsec/IKE policy for a full list of supported algorithms and best practices.
Considerations for Policy-Based VPNs
- Complexity: As the number of required tunnels increases, the configuration can become complex due to multiple policies.
- IP Address Spaces: Ensure there are no overlapping IP address ranges between your on-premises network and Azure.
- Device Compatibility: Verify that your on-premises VPN device supports policy-based VPNs and the specified IPsec/IKE parameters.
- Troubleshooting: When a policy-based VPN fails to connect, carefully check the traffic selector definitions on both ends.
Next Steps
To implement a policy-based VPN, you will need to create a VPN gateway in Azure and configure your on-premises VPN device. Consult the documentation for your specific VPN device vendor for instructions on configuring IPsec/IKE policies.