配置站点到站点 VPN 连接的 IPsec/IKE 策略Configure IPsec/IKE policy for site-to-site VPN connections

本文逐步介绍如何为 Azure Stack Hub 中的站点到站点 (S2S) VPN 配置 IPsec/IKE 策略。This article walks through the steps to configure an IPsec/IKE policy for site-to-site (S2S) VPN connections in Azure Stack Hub.

Note

必须运行 Azure Stack Hub 内部版本 1809 或更高版本才能使用此功能。You must be running Azure Stack Hub build 1809 or later to use this feature. 如果当前运行的是低于 1809 的内部版本,请先将 Azure Stack Hub 系统更新到最新内部版本,然后再继续按照本文中的步骤操作。If you're currently running a build prior to 1809, update your Azure Stack Hub system to the latest build before proceeding with the steps in this article.

VPN 网关的 IPsec 和 IKE 策略参数IPsec and IKE policy parameters for VPN gateways

IPsec 和 IKE 协议标准支持采用各种组合的各种加密算法。The IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations. 若要查看 Azure Stack Hub 支持哪些参数,以便满足合规性或安全要求,请参阅 IPsec/IKE 参数To see which parameters are supported in Azure Stack Hub so you can satisfy your compliance or security requirements, see IPsec/IKE parameters.

本文说明如何创建和配置 IPsec/IKE 策略,并将其应用到新的或现有的连接。This article provides instructions on how to create and configure an IPsec/IKE policy and apply it to a new or existing connection.

注意事项Considerations

使用这些策略时,请注意以下重要事项:Note the following important considerations when using these policies:

  • IPsec/IKE 策略仅适用于“标准”和“高性能”(基于路由)网关 SKU。 The IPsec/IKE policy only works on the Standard and HighPerformance (route-based) gateway SKUs.

  • 一个给定的连接只能指定一个策略组合。You can only specify one policy combination for a given connection.

  • 必须指定 IKE(主模式)和 IPsec(快速模式)的所有算法和参数。You must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). 不允许指定部分策略。Partial policy specification is not allowed.

  • 请查阅 VPN 设备供应商规范,确保本地 VPN 设备支持该策略。Consult with your VPN device vendor specifications to ensure the policy is supported on your on-premises VPN devices. 如果策略不兼容,则无法建立站点到站点连接。Site-to-site connections cannot be established if the policies are incompatible.

先决条件Prerequisites

在开始之前,请确保具备以下先决条件:Before you begin, make sure you have the following prerequisites:

第 1 部分 - 创建和设置 IPsec/IKE 策略Part 1 - Create and set IPsec/IKE policy

本部分介绍针对站点到站点 VPN 连接创建和更新 IPsec/IKE 策略所需的步骤:This section describes the steps required to create and update the IPsec/IKE policy on a site-to-site VPN connection:

  1. 创建虚拟网络和 VPN 网关。Create a virtual network and a VPN gateway.

  2. 为跨界连接创建本地网络网关。Create a local network gateway for cross-premises connection.

  3. 使用选定的算法和参数创建 IPsec/IKE 策略。Create an IPsec/IKE policy with selected algorithms and parameters.

  4. 创建采用 IPsec/IKE 策略的 IPsec 连接。Create an IPSec connection with the IPsec/IKE policy.

  5. 为现有连接添加/更新/删除 IPsec/IKE 策略。Add/update/remove an IPsec/IKE policy for an existing connection.

本文中的说明可帮助你设置和配置 IPsec/IKE 策略,如下图所示:The instructions in this article help you set up and configure IPsec/IKE policies, as shown in the following figure:

设置和配置 IPsec/IKE 策略

第 2 部分 - 支持的加密算法和密钥强度Part 2 - Supported cryptographic algorithms and key strengths

下表列出了支持的加密算法和密钥强度,Azure Stack Hub 可对其进行配置:The following table lists the supported cryptographic algorithms and key strengths configurable by Azure Stack Hub:

IPsec/IKEv2IPsec/IKEv2 选项Options
IKEv2 加密IKEv2 Encryption AES256、AES192、AES128、DES3、DESAES256, AES192, AES128, DES3, DES
IKEv2 完整性IKEv2 Integrity SHA384、SHA256、SHA1、MD5SHA384, SHA256, SHA1, MD5
DH 组DH Group ECP384、ECP256、DHGroup24、DHGroup14、DHGroup2、DHGroup1ECP384, ECP256, DHGroup24, DHGroup14, DHGroup2, DHGroup1
IPsec 加密IPsec Encryption GCMAES256、GCMAES192、GCMAES128、AES256、AES192、AES128、DES3、DES、无GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None
IPsec 完整性IPsec Integrity GCMASE256、GCMAES192、GCMAES128GCMASE256, GCMAES192, GCMAES128
PFS 组PFS Group PFS24、ECP384、ECP256、PFS2048、PFS2、PFS1、PFSMM、无PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, PFSMM, None
QM SA 生存期QM SA Lifetime (可选:如果未指定,则使用默认值)(Optional: default values are used if not specified)
秒(整数;至少为 300 秒/默认为 27000 秒)Seconds (integer; min. 300/default 27000 seconds)
KB(整数;至少为 1024 KB/默认为 102400000 KB)KBytes (integer; min. 1024/default 102400000 KBytes)
流量选择器Traffic Selector Azure Stack Hub 不支持基于策略的流量选择器。Policy-based Traffic Selectors are not supported in Azure Stack Hub.
  • 本地 VPN 设备配置必须匹配,或者必须包含可在 Azure IPsec/IKE 策略中指定的以下算法和参数:Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy:

    • IKE 加密算法(主模式/阶段 1)。IKE encryption algorithm (Main Mode/Phase 1).
    • IKE 完整性算法(主模式/阶段 1)。IKE integrity algorithm (Main Mode/Phase 1).
    • DH 组(主模式/阶段 1)。DH Group (Main Mode/Phase 1).
    • IPsec 加密算法(快速模式/阶段 2)。IPsec encryption algorithm (Quick Mode/Phase 2).
    • IPsec 完整性算法(快速模式/阶段 2)。IPsec integrity algorithm (Quick Mode/Phase 2).
    • PFS 组(快速模式/阶段 2)。PFS Group (Quick Mode/Phase 2).
    • SA 生存期仅为本地规范,无需匹配。The SA lifetimes are local specifications only and do not need to match.
  • 如果使用 GCMAES 作为 IPsec 加密算法,则必须选择相同的 GCMAES 算法和密钥长度以保证 IPsec 完整性,例如对这两者使用 GCMAES128。If GCMAES is used as the IPsec encryption algorithm, you must select the same GCMAES algorithm and key length for IPsec integrity; for example, using GCMAES128 for both.

  • 在上表中:In the preceding table:

    • IKEv2 对应于主模式或阶段 1。IKEv2 corresponds to Main Mode or Phase 1.
    • IPsec 对应于快速模式或阶段 2。IPsec corresponds to Quick Mode or Phase 2.
    • DH 组指定在主模式或阶段 1 中使用的 Diffie-Hellmen 组。DH Group specifies the Diffie-Hellmen Group used in Main Mode or Phase 1.
    • PFS 组指定在快速模式或阶段 2 中使用的 Diffie-Hellmen 组。PFS Group specifies the Diffie-Hellmen Group used in Quick Mode or Phase 2.
  • 在 Azure Stack Hub VPN 网关上,IKEv2 主模式 SA 生存期固定为 28,800 秒。IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure Stack Hub VPN gateways.

下表列出了自定义策略支持的相应 Diffie-Hellman 组:The following table lists the corresponding Diffie-Hellman Groups supported by the custom policy:

Diffie-Hellman 组Diffie-Hellman Group DHGroupDHGroup PFSGroupPFSGroup 密钥长度Key length
11 DHGroup1DHGroup1 PFS1PFS1 768 位 MODP768-bit MODP
22 DHGroup2DHGroup2 PFS2PFS2 1024 位 MODP1024-bit MODP
1414 DHGroup14DHGroup14
DHGroup2048DHGroup2048
PFS2048PFS2048 2048 位 MODP2048-bit MODP
1919 ECP256ECP256 ECP256ECP256 256 位 ECP256-bit ECP
20 个20 ECP384ECP384 ECP384ECP384 384 位 ECP384-bit ECP
2424 DHGroup24DHGroup24 PFS24PFS24 2048 位 MODP2048-bit MODP

有关详细信息,请参阅 RFC3526RFC5114For more information, see RFC3526 and RFC5114.

第 3 部分 - 新建采用 IPsec/IKE 策略的站点到站点 VPN 连接Part 3 - Create a new site-to-site VPN connection with IPsec/IKE policy

本部分逐步介绍如何创建采用 IPsec/IKE 策略的站点到站点 VPN 连接。This section walks through the steps to create a site-to-site VPN connection with an IPsec/IKE policy. 以下步骤将创建下图所示的连接:The following steps create the connection, as shown in the following figure:

site-to-site-policy

有关创建站点到站点 VPN 连接的详细分步说明,请参阅创建站点到站点 VPN 连接For more detailed step-by-step instructions for creating a site-to-site VPN connection, see Create a site-to-site VPN connection.

步骤 1 - 创建虚拟网络、VPN 网关和本地网关Step 1 - Create the virtual network, VPN gateway, and local network gateway

1.声明变量1. Declare variables

对于本练习,请先声明以下变量。For this exercise, start by declaring the following variables. 针对生产环境进行配置时,请务必将占位符替换为自己的值:Be sure to replace the placeholders with your own values when configuring for production:

$Sub1 = "<YourSubscriptionName>"
$RG1 = "TestPolicyRG1"
$Location1 = "China East"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GW1IPName1 = "VNet1GWIP1"
$GW1IPconf1 = "gw1ipconf1"
$Connection16 = "VNet1toSite6"
$LNGName6 = "Site6"
$LNGPrefix61 = "10.61.0.0/16"
$LNGPrefix62 = "10.62.0.0/16"
$LNGIP6 = "131.107.72.22"

2.连接到订阅并创建新资源组2. Connect to your subscription and create a new resource group

确保切换到 PowerShell 模式,以便使用Resource Manager cmdlet。Make sure you switch to PowerShell mode to use the Resource Manager cmdlets. 有关详细信息,请参阅以用户身份使用 PowerShell 连接到 Azure Stack HubFor more information, see Connect to Azure Stack Hub with PowerShell as a user.

打开 PowerShell 控制台并连接到帐户,例如:Open your PowerShell console and connect to your account; for example:

Connect-AzureRmAccount -EnvironmentName AzureChinaCloud
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1

3.创建虚拟网络、VPN 网关和本地网关3. Create the virtual network, VPN gateway, and local network gateway

以下示例创建虚拟网络 TestVNet1 以及三个子网和 VPN 网关。The following example creates the virtual network, TestVNet1, along with three subnets and the VPN gateway. 替换值时,请务必将网关子网特意命名为 GatewaySubnetWhen substituting values, it's important that you specifically name your gateway subnet GatewaySubnet. 如果命名为其他名称,网关创建会失败。If you name it something else, your gateway creation fails.

$fesub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1
$besub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
$gwsub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1

New-AzureRmVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 -Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1

$gw1pip1 = New-AzureRmPublicIpAddress -Name $GW1IPName1 -ResourceGroupName $RG1 -Location $Location1 -AllocationMethod Dynamic

$vnet1 = Get-AzureRmVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1

$subnet1 = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" `
-VirtualNetwork $vnet1

$gw1ipconf1 = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GW1IPconf1 `
-Subnet $subnet1 -PublicIpAddress $gw1pip1

New-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 `
-Location $Location1 -IpConfigurations $gw1ipconf1 -GatewayType Vpn `
-VpnType RouteBased -GatewaySku VpnGw1

New-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1 `
-Location $Location1 -GatewayIpAddress $LNGIP6 -AddressPrefix `
$LNGPrefix61,$LNGPrefix62

步骤 2 - 创建采用 IPsec/IKE 策略的站点到站点 VPN 连接Step 2 - Create a site-to-site VPN connection with an IPsec/IKE policy

1.创建 IPsec/IKE 策略1. Create an IPsec/IKE policy

此示例脚本使用以下算法和参数创建 IPsec/IKE 策略:This sample script creates an IPsec/IKE policy with the following algorithms and parameters:

  • IKEv2:AES128、SHA1、DHGroup14IKEv2: AES128, SHA1, DHGroup14
  • IPsec:AES256、SHA256、无、SA 生存期 14400 秒和 102400000KBIPsec: AES256, SHA256, none, SA Lifetime 14400 seconds, and 102400000KB
$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup none -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

如果将 GCMAES 用于 IPsec,必须为 IPsec 加密和完整性使用相同的 GCMAES 算法和密钥长度。If you use GCMAES for IPsec, you must use the same GCMAES algorithm and key length for both IPsec encryption and integrity.

2.创建采用 IPsec/IKE 策略的站点到站点 VPN 连接2. Create the site-to-site VPN connection with the IPsec/IKE policy

创建站点到站点 VPN 连接并应用前面创建的 IPsec/IKE 策略:Create a site-to-site VPN connection and apply the IPsec/IKE policy you created previously:

$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1

New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -IpsecPolicies $ipsecpolicy6 -SharedKey 'Azs123'

Important

对连接指定 IPsec/IKE 策略后,Azure VPN 网关将仅发送或接受对该特定连接采用指定加密算法和密钥强度的 IPsec/IKE 方案。Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway only sends or accepts the IPsec/IKE proposal with specified cryptographic algorithms and key strengths on that particular connection. 确保连接的本地 VPN 设备使用或接受确切策略组合,否则无法建立站点到站点 VPN 隧道。Make sure your on-premises VPN device for the connection uses or accepts the exact policy combination, otherwise the site-to-site VPN tunnel cannot be established.

第 4 部分 - 更新连接的 IPsec/IKE 策略Part 4 - Update IPsec/IKE policy for a connection

上一部分介绍了如何管理现有站点到站点连接的 IPsec/IKE 策略。The previous section showed how to manage IPsec/IKE policy for an existing site-to-site connection. 本部分逐步介绍如何对连接执行以下操作:This section walks through the following operations on a connection:

  • 显示连接的 IPsec/IKE 策略。Show the IPsec/IKE policy of a connection.
  • 为连接添加或更新 IPsec/IKE 策略。Add or update the IPsec/IKE policy to a connection.
  • 从连接中删除 IPsec/IKE 策略。Remove the IPsec/IKE policy from a connection.

Note

IPsec/IKE 策略仅受基于路由的标准 VPN 网关和高性能 VPN 网关支持 。IPsec/IKE policy is supported on Standard and HighPerformance route-based VPN gateways only. 它不适用于“基本”网关 SKU。It does not work on the Basic gateway SKU.

1.显示连接的 IPsec/IKE 策略1. Show the IPsec/IKE policy of a connection

以下示例演示如何对连接配置 IPsec/IKE 策略。The following example shows how to get the IPsec/IKE policy configured on a connection. 脚本也沿用于前面的练习:The scripts also continue from the previous exercises:

$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.IpsecPolicies

最后一个命令列出了对连接配置的最新 IPsec/IKE 策略(如果有)。The last command lists the current IPsec/IKE policy configured on the connection, if any. 下面是连接的示例输出:The following example is a sample output for the connection:

SALifeTimeSeconds : 14400
SADataSizeKilobytes : 102400000
IpsecEncryption : AES256
IpsecIntegrity : SHA256
IkeEncryption : AES128
IkeIntegrity : SHA1
DhGroup : DHGroup14
PfsGroup : None

如果没有配置 IPsec/IKE 策略,则命令 $connection6.policy 将返回空值。If there's no IPsec/IKE policy configured, the command $connection6.policy gets an empty return. 这并不意味着未对连接配置 IPsec/IKE,而是表示没有自定义 IPsec/IKE 策略。It does not mean that IPsec/IKE isn't configured on the connection; it means there's no custom IPsec/IKE policy. 实际连接使用本地 VPN 设备和 Azure VPN 网关之间协商的默认策略。The actual connection uses the default policy negotiated between your on-premises VPN device and the Azure VPN gateway.

2.为连接添加或更新 IPsec/IKE 策略2. Add or update an IPsec/IKE policy for a connection

对连接添加新策略或更新现有策略的步骤相同:创建新策略,然后将新策略应用到连接:The steps to add a new policy or update an existing policy on a connection are the same: create a new policy, then apply the new policy to the connection:

$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1

$newpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

$connection6.SharedKey = "AzS123"

Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -IpsecPolicies $newpolicy6

可再次获取连接,以检查策略是否已更新:You can get the connection again to check if the policy is updated:

$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.IpsecPolicies

最后一行应会显示输出,如以下示例所示:You should see the output from the last line, as shown in the following example:

SALifeTimeSeconds : 14400
SADataSizeKilobytes : 102400000
IpsecEncryption : AES256
IpsecIntegrity : SHA256
IkeEncryption : AES128
IkeIntegrity : SHA1
DhGroup : DHGroup14
PfsGroup : None

3.删除连接的 IPsec/IKE 策略3. Remove an IPsec/IKE policy from a connection

从连接中删除自定义策略后,Azure VPN 网关将还原为默认的 IPsec/IKE 协议,并再次与本地 VPN 设备协商。After you remove the custom policy from a connection, the Azure VPN gateway reverts to the default IPsec/IKE proposal, and renegotiates with your on-premises VPN device.

$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.SharedKey = "AzS123"
$currentpolicy = $connection6.IpsecPolicies[0]
$connection6.IpsecPolicies.Remove($currentpolicy)

Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6

可使用相同脚本来检查是否已删除连接的策略。You can use the same script to check if the policy has been removed from the connection.

后续步骤Next steps