az network vnet-gateway ipsec-policy

Manage virtual network gateway IPSec policies.

Commands

az network vnet-gateway ipsec-policy add

Add a virtual network gateway IPSec policy.

az network vnet-gateway ipsec-policy clear

Delete all IPsec policies on a virtual network gateway.

az network vnet-gateway ipsec-policy list

List IPSec policies associated with a virtual network gateway.

az network vnet-gateway ipsec-policy add

Add a virtual network gateway IPSec policy.

Set all IPsec policies of a virtual network gateway. If you want to set any IPsec policy, you must set them all.

az network vnet-gateway ipsec-policy add --dh-group {DHGroup1, DHGroup14, DHGroup2, DHGroup2048, DHGroup24, ECP256, ECP384, None}
                                         --gateway-name
                                         --ike-encryption {AES128, AES192, AES256, DES, DES3, GCMAES128, GCMAES256}
                                         --ike-integrity {GCMAES128, GCMAES256, MD5, SHA1, SHA256, SHA384}
                                         --ipsec-encryption {AES128, AES192, AES256, DES, DES3, GCMAES128, GCMAES192, GCMAES256, None}
                                         --ipsec-integrity {GCMAES128, GCMAES192, GCMAES256, MD5, SHA1, SHA256}
                                         --pfs-group {ECP256, ECP384, None, PFS1, PFS14, PFS2, PFS2048, PFS24, PFSMM}
                                         --resource-group
                                         --sa-lifetime
                                         --sa-max-size
                                         [--no-wait]
                                         [--subscription]

Examples

Add specified IPsec policies to a gateway instead of relying on defaults.

az network vnet-gateway ipsec-policy add -g MyResourceGroup --gateway-name MyGateway \
    --dh-group DHGroup14 --ike-encryption AES256 --ike-integrity SHA384 --ipsec-encryption DES3 \
    --ipsec-integrity GCMAES256 --pfs-group PFS2048 --sa-lifetime 27000 --sa-max-size 102400000

Required Parameters

--dh-group

Required. The DH Group used in IKE Phase 1 for initial SA.

accepted values: DHGroup1, DHGroup14, DHGroup2, DHGroup2048, DHGroup24, ECP256, ECP384, None
--gateway-name

Virtual network gateway name.

--ike-encryption

Required. The IKE encryption algorithm (IKE phase 2).

accepted values: AES128, AES192, AES256, DES, DES3, GCMAES128, GCMAES256
--ike-integrity

Required. The IKE integrity algorithm (IKE phase 2).

accepted values: GCMAES128, GCMAES256, MD5, SHA1, SHA256, SHA384
--ipsec-encryption

Required. The IPSec encryption algorithm (IKE phase 1).

accepted values: AES128, AES192, AES256, DES, DES3, GCMAES128, GCMAES192, GCMAES256, None
--ipsec-integrity

Required. The IPSec integrity algorithm (IKE phase 1).

accepted values: GCMAES128, GCMAES192, GCMAES256, MD5, SHA1, SHA256
--pfs-group

Required. The Pfs Group used in IKE Phase 2 for new child SA.

accepted values: ECP256, ECP384, None, PFS1, PFS14, PFS2, PFS2048, PFS24, PFSMM
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--sa-lifetime

Required. The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel.

--sa-max-size

Required. The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network vnet-gateway ipsec-policy clear

Delete all IPsec policies on a virtual network gateway.

az network vnet-gateway ipsec-policy clear --gateway-name
                                           --resource-group
                                           [--no-wait]
                                           [--subscription]

Examples

Remove all previously specified IPsec policies from a gateway.

az network vnet-gateway ipsec-policy clear -g MyResourceGroup --gateway-name MyConnection

Required Parameters

--gateway-name

Virtual network gateway name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az network vnet-gateway ipsec-policy list

List IPSec policies associated with a virtual network gateway.

az network vnet-gateway ipsec-policy list --gateway-name
                                          --resource-group
                                          [--query-examples]
                                          [--subscription]

Examples

List the IPsec policies set on a gateway.

az network vnet-gateway ipsec-policy list -g MyResourceGroup --gateway-name MyConnection

Required Parameters

--gateway-name

Virtual network gateway name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.