配置 Azure Stack Hub 的 VPN 网关设置Configure VPN gateway settings for Azure Stack Hub

VPN 网关是一种虚拟网络网关,可在 Azure Stack Hub 中的虚拟网络与远程 VPN 网关之间发送加密流量。A VPN gateway is a type of virtual network gateway that sends encrypted traffic between your virtual network in Azure Stack Hub and a remote VPN gateway. 远程 VPN 网关可位于 Azure 中、数据中心的设备中,或另一个站点上的设备中。The remote VPN gateway can be in Azure, a device in your datacenter, or a device on another site. 如果两个终结点之间有网络连接,可以在这两个网络之间建立安全的站点到站点 (S2S) VPN 连接。If there is network connectivity between the two endpoints, you can establish a secure Site-to-Site (S2S) VPN connection between the two networks.

VPN 网关连接依赖于多个资源的配置,每个资源都包含可配置的设置。A VPN gateway connection relies on the configuration of multiple resources, each of which contains configurable settings. 本文介绍与资源管理器部署模型中创建的虚拟网络的 VPN 网关相关的资源和设置。This article describes the resources and settings that relate to a VPN gateway for a virtual network that you create in the Resource Manager deployment model. 可在关于 Azure Stack Hub 的 VPN 网关中找到每个连接解决方案的说明和拓扑图。You can find descriptions and topology diagrams for each connection solution in About VPN Gateway for Azure Stack Hub.

VPN 网关设置VPN gateway settings

网关类型Gateway types

每个 Azure Stack Hub 虚拟网络支持单个虚拟网络网关,其类型必须是 VpnEach Azure Stack Hub virtual network supports a single virtual network gateway, which must be of the type Vpn. 此项支持不同于 Azure,后者可支持其他类型。This support is different from Azure, which supports additional types.

创建虚拟网络网关时,必须确保用于配置的网关类型正确。When you create a virtual network gateway, you must make sure that the gateway type is correct for your configuration. VPN 网关需要 -GatewayType Vpn 标志,例如:A VPN gateway requires the -GatewayType Vpn flag; for example:

New-AzureRmVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
-Location 'China East' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased

网关 SKUGateway SKUs

创建虚拟网络网关时,必须指定要使用的网关 SKU。When you create a virtual network gateway, you must specify the gateway SKU that you want to use. 根据工作负荷、吞吐量、功能和 SLA 的类型,选择满足需求的 SKU。Select the SKUs that satisfy your requirements based on the types of workloads, throughputs, features, and SLAs.

Azure Stack Hub 提供下表中所示的 VPN 网关 SKU:Azure Stack Hub offers the VPN gateway SKUs shown in the following table:

VPN 网关吞吐量VPN gateway throughput VPN 网关最大 IPsec 隧道数VPN gateway maximum IPsec tunnels
基本 SKUBasic SKU 100 Mbps100 Mbps 20 个20
标准 SKUStandard SKU 100 Mbps100 Mbps 20 个20
高性能 SKUHigh Performance SKU 200 Mbps200 Mbps 10 个10

调整网关 SKU 大小Resizing gateway SKUs

Azure Stack Hub 不支持在所支持的旧式 SKU 之间调整 SKU 大小。Azure Stack Hub does not support a resize of SKUs between the supported legacy SKUs.

同样,Azure Stack Hub 不支持将大小从支持的旧式 SKU(“基本”、“标准”和“高性能”)调整为 Azure 所支持的新式 SKU(“VpnGw1”、“VpnGw2”和“VpnGw3”) 。Similarly, Azure Stack Hub does not support a resize from a supported legacy SKU (Basic, Standard, and HighPerformance) to a newer SKU supported by Azure (VpnGw1, VpnGw2, and VpnGw3).

配置网关 SKUConfigure the gateway SKU

Azure Stack Hub 门户Azure Stack Hub portal

如果使用 Azure Stack Hub 门户创建资源管理器虚拟网络网关,可以使用下拉列表选择网关 SKU。If you use the Azure Stack Hub portal to create a Resource Manager virtual network gateway, you can select the gateway SKU by using the dropdown list. 这些选项对应于所选的网关类型和 VPN 类型。The options correspond to the gateway type and VPN type that you select.

PowerShellPowerShell

以下 PowerShell 示例将 -GatewaySku 参数指定为“Standard”:The following PowerShell example specifies the -GatewaySku parameter as Standard:

New-AzureRmVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
-Location 'China East' -IpConfigurations $gwipconfig -GatewaySku Standard `
-GatewayType Vpn -VpnType RouteBased

连接类型Connection types

在 Resource Manager 部署模型中,每个配置都需要特定的虚拟网络网关连接类型。In the Resource Manager deployment model, each configuration requires a specific virtual network gateway connection type. -ConnectionType 的可用资源管理器 PowerShell 值为 IPsecThe available Resource Manager PowerShell values for -ConnectionType are IPsec.

以下 PowerShell 示例创建需要 IPsec 连接类型的 S2S 连接:In the following PowerShell example, a S2S connection is created that requires the IPsec connection type:

New-AzureRmVirtualNetworkGatewayConnection -Name localtovon -ResourceGroupName testrg `
-Location 'China East' -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
-ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123'

VPN 类型VPN types

为 VPN 网关配置创建虚拟网络网关时,必须指定 VPN 类型。When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. 选择的 VPN 类型取决于要创建的连接拓扑。The VPN type that you choose depends on the connection topology that you want to create. VPN 类型还取决于使用的硬件。A VPN type can also depend on the hardware that you're using. S2S 配置需要 VPN 设备。S2S configurations require a VPN device. 有些 VPN 设备仅支持特定的 VPN 类型。Some VPN devices only support a certain VPN type.

重要

目前,Azure Stack Hub 仅支持基于路由的 VPN 类型。Currently, Azure Stack Hub only supports the route-based VPN type. 如果设备仅支持基于策略的 VPN,则不支持从 Azure Stack Hub 连接到这些设备。If your device only supports policy-based VPNs, then connections to those devices from Azure Stack Hub are not supported.

此外,由于自定义 IPSec/IKE 策略配置不受支持,因此 Azure Stack Hub 目前不支持对基于路由的网关使用基于策略的流量选择器。In addition, Azure Stack Hub does not support using policy-based traffic selectors for route-based gateways at this time, because custom IPSec/IKE policy configurations are not supported.

  • PolicyBased:基于策略的 VPN 会根据使用本地网络和 Azure Stack Hub VNet 之间的地址前缀的各种组合配置的 IPsec 策略,加密数据包并引导其通过 IPsec 隧道。PolicyBased: Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies that are configured with the combinations of address prefixes between your on-premises network and the Azure Stack Hub VNet. 策略或流量选择器通常是 VPN 设备配置中的访问列表。The policy, or traffic selector, is usually an access list in the VPN device configuration.

    备注

    PolicyBased 在 Azure 中受支持,但在 Azure Stack Hub 中不受支持。PolicyBased is supported in Azure, but not in Azure Stack Hub.

  • RouteBased:基于路由的 VPN 使用 IP 转发或路由表中配置的路由将数据包定向到相应的隧道接口。RouteBased: Route-based VPNs use routes that are configured in the IP forwarding or routing table to direct packets to their corresponding tunnel interfaces. 然后,隧道接口会加密或解密出入隧道的数据包。The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels. RouteBased VPN 的策略或流量选择器配置为任意到任意(或使用通配符)。The policy, or traffic selector, for RouteBased VPNs are configured as any-to-any (or use wild cards). 默认情况下,无法更改这些 VPN。By default, they cannot be changed. RouteBased VPN 类型的值为 RouteBasedThe value for a RouteBased VPN type is RouteBased.

以下 PowerShell 示例将 -VpnType 指定为 RouteBasedThe following PowerShell example specifies the -VpnType as RouteBased. 创建网关时,必须确保 -VpnType 符合你的配置。When you create a gateway, you must make sure that the -VpnType is correct for your configuration.

New-AzureRmVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
-Location 'China East' -IpConfigurations $gwipconfig `
-GatewayType Vpn -VpnType RouteBased

网关要求Gateway requirements

下表列出了 VPN 网关的要求。The following table lists the requirements for VPN gateways.

基于策略的基本 VPN 网关Policy-based Basic VPN Gateway 基于路由的基本 VPN 网关Route-based Basic VPN Gateway 基于路由的标准 VPN 网关Route-based Standard VPN Gateway 基于路由的高性能 VPN 网关Route-based High Performance VPN Gateway
站点到站点连接(S2S 连接)Site-to-Site connectivity (S2S connectivity) 不支持Not Supported 基于路由的 VPN 配置Route-based VPN configuration 基于路由的 VPN 配置Route-based VPN configuration 基于路由的 VPN 配置Route-based VPN configuration
身份验证方法Authentication method 不支持Not Supported S2S 连接的预先共享密钥Pre-shared key for S2S connectivity S2S 连接的预先共享密钥Pre-shared key for S2S connectivity S2S 连接的预先共享密钥Pre-shared key for S2S connectivity
S2S 连接的最大数目Maximum number of S2S connections 不支持Not Supported 20 个20 20 个20 10 个10
活动路由支持 (BGP)Active routing support (BGP) 不支持Not supported 不支持Not supported 支持Supported 支持Supported

网关子网Gateway subnet

在创建 VPN 网关之前,必须创建一个网关子网。Before you create a VPN gateway, you must create a gateway subnet. 网关子网包含虚拟网络网关 VM 和服务使用的 IP 地址。The gateway subnet has the IP addresses that the virtual network gateway VMs and services use. 创建虚拟网络网关时,会将网关 VM 部署到网关子网,并使用所需的 VPN 网关设置进行配置。When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. 不要将任何其他设备(例如,其他 VM)部署到网关子网。Don't deploy anything else (for example, additional VMs) to the gateway subnet.

重要

网关子网必须命名为 GatewaySubnet 才能正常工作。The gateway subnet must be named GatewaySubnet to work properly. Azure Stack Hub 使用此名称来识别要将虚拟网络网关 VM 和服务部署到的子网。Azure Stack Hub uses this name to identify the subnet to which to deploy the virtual network gateway VMs and services.

创建网关子网时,需指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 将网关子网中的 IP 地址分配到网关 VM 和网关服务。The IP addresses in the gateway subnet are allocated to the gateway VMs and gateway services. 有些配置需要具有比其他配置更多的 IP 地址。Some configurations require more IP addresses than others. 查看要创建的配置的说明,验证要创建的网关子网是否会满足这些要求。Look at the instructions for the configuration that you want to create and verify that the gateway subnet you want to create meets those requirements.

此外,应确保网关子网具有足够的 IP 地址,以便处理将来可能会添加的配置。Additionally, you should make sure your gateway subnet has enough IP addresses to handle additional future configurations. 尽管网关子网最小可创建为 /29,但我们建议创建创建 /28 或更大(/28、/27 和 /26 等)的网关子网。这样一来,如果以后添加功能,就无需断开网关,删除并重新创建网关子网以容纳更多 IP 地址。Although you can create a gateway subnet as small as /29, we recommend you create a gateway subnet of /28 or larger (/28, /27, /26, and so on.) That way, if you add functionality in the future, you do not have to tear down your gateway, then delete and recreate the gateway subnet to allow for more IP addresses.

以下资源管理器 PowerShell 示例显示名为 GatewaySubnet 的网关子网。The following Resource Manager PowerShell example shows a gateway subnet named GatewaySubnet. 可以看到,CIDR 表示法指定了 /27,这可提供足够的 IP 地址供大多数现有配置使用。You can see the CIDR notation specifies a /27, which allows for enough IP addresses for most configurations that currently exist.

Add-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.3.0/27

重要

处理网关子网时,请避免将网络安全组 (NSG) 关联到网关子网。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致 VPN 网关停止按预期方式工作。Associating a network security group to this subnet can cause your VPN gateway to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?.

本地网关Local network gateways

在 Azure 中创建 VPN 网关配置时,本地网络网关通常代表本地位置。When creating a VPN gateway configuration in Azure, the local network gateway often represents your on-premises location. 在 Azure Stack Hub 中,它代表位于 Azure Stack Hub 外部的任何远程 VPN 设备。In Azure Stack Hub, it represents any remote VPN device that sits outside Azure Stack Hub. 此设备可以是数据中心(或远程数据中心)内的 VPN 设备,或 Azure 中的 VPN 网关。This device could be a VPN device in your datacenter (or a remote datacenter), or a VPN gateway in Azure.

指定本地网络网关的名称、VPN 设备的公共 IP 地址,并指定位于本地位置的地址前缀。You give the local network gateway a name, the public IP address of the VPN device, and specify the address prefixes that are on the on-premises location. Azure 查看网络流量的目标地址前缀、参考针对本地网络网关指定的配置,并相应地路由数据包。Azure looks at the destination address prefixes for network traffic, consults the configuration that you've specified for your local network gateway, and routes packets accordingly.

此 PowerShell 示例创建新的本地网络网关:This PowerShell example creates a new local network gateway:

New-AzureRmLocalNetworkGateway -Name LocalSite -ResourceGroupName testrg `
-Location 'China East' -GatewayIpAddress '23.99.221.164' -AddressPrefix '10.5.51.0/24'

有时,我们需要修改本地网络网关设置;例如,在添加或修改地址范围时,或 VPN 设备的 IP 地址发生变化时。Sometimes you need to modify the local network gateway settings; for example, when you add or modify the address range, or if the IP address of the VPN device changes. 有关详细信息,请参阅使用 PowerShell 修改本地网络网关设置For more info, see Modify local network gateway settings using PowerShell.

IPsec/IKE 参数IPsec/IKE parameters

在 Azure Stack Hub 中设置 VPN 连接时,必须在两端配置连接。When you set up a VPN connection in Azure Stack Hub, you must configure the connection at both ends. 若要配置 Azure Stack Hub 与硬件设备(例如用作 VPN 网关的交换机或路由器)之间的 VPN 连接,该设备可能会要求你提供其他设置。If you're configuring a VPN connection between Azure Stack Hub and a hardware device such as a switch or router that is acting as a VPN gateway, that device might ask you for additional settings.

Azure Stack Hub 默认情况下仅支持一个套餐,这与 Azure 不同,后者支持将多个套餐用作发起程序和响应程序。Unlike Azure, which supports multiple offers as both an initiator and a responder, Azure Stack Hub supports only one offer by default. 如需使用适合 VPN 设备的不同 IPSec/IKE 设置,则可通过其他设置来手动配置连接。If you need to use different IPSec/IKE settings to work with your VPN device, there are more settings available to you to configure your connection manually. 有关详细信息,请参阅为站点到站点 VPN 连接配置 IPsec/IKE 策略For more information, see Configure IPsec/IKE policy for site-to-site VPN connections.

重要

使用 S2S 隧道时,数据包会通过附加的标头进一步封装,从而增加了数据包的总大小。When using the S2S tunnel, packets are further encapsulated with additional headers which increases the overall size of the packet. 在这些情况下,必须将 TCP MSS 固定在 1350In these scenarios, you must clamp TCP MSS at 1350. 或者,如果 VPN 设备不支持 MSS 钳位,则可以改为在隧道接口上将 MTU 设置为 1400 字节 。Or, if your VPN devices do not support MSS clamping, you can alternatively set the MTU on the tunnel interface to 1400 bytes instead. 有关详细信息,请参阅虚拟网络 TCPIP 性能优化For more information, see Virutal Network TCPIP performance tuning.

IKE 阶段 1(主模式)参数IKE Phase 1 (Main Mode) parameters

属性Property ValueValue
SDK 版本IKE Version IKEv2IKEv2
Diffie-Hellman 组*Diffie-Hellman Group* ECP384ECP384
身份验证方法Authentication Method 预共享密钥Pre-Shared Key
加密和哈希算法*Encryption & Hashing Algorithms* AES256、SHA384AES256, SHA384
SA 生存期(时间)SA Lifetime (Time) 28,800 秒28,800 seconds

IKE 阶段 2(快速模式)参数IKE Phase 2 (Quick Mode) parameters

属性Property ValueValue
SDK 版本IKE Version IKEv2IKEv2
加密和哈希算法(加密)Encryption & Hashing Algorithms (Encryption) GCMAES256GCMAES256
加密和哈希算法(身份验证)Encryption & Hashing Algorithms (Authentication) GCMAES256GCMAES256
SA 生存期(时间)SA Lifetime (Time) 27,000 秒27,000 seconds
SA 生存期(千字节)SA Lifetime (Kilobytes) 33,553,40833,553,408
完全向前保密 (PFS)*Perfect Forward Secrecy (PFS)* ECP384ECP384
死对等体检测Dead Peer Detection 支持Supported

备注

“Diffie-hellman 组”、“哈希算法”和“完全向前保密”的默认值在内部版本 1910 和更高版本中已更改。The default values for Diffie-Hellman Group, Hashing Algorithm and Perfect Forward Secrecy have been changed for builds 1910 and above. 如果 Azure Stack Hub 的内部版本低于 1910,请对上述参数使用以下值:If your Azure Stack Hub is on a build version below 1910, please use the following values for the above parameters:

属性Property ValueValue
Diffie-Hellman 组Diffie-Hellman Group DHGroup2DHGroup2
哈希算法Hashing Algorithms SHA256SHA256
完全向前保密 (PFS)Perfect Forward Secrecy (PFS) None

* 新的或已更改的参数。* New or changed parameter.

后续步骤Next steps