配置 ExpressRoute 专用对等互连的 IPsec 传输模式Configure IPsec transport mode for ExpressRoute private peering

本文介绍了如何通过 ExpressRoute 专用对等互连在传输模式下创建 IPsec 隧道。This article helps you create IPsec tunnels in transport mode over ExpressRoute private peering. 隧道需要在运行 Windows 和本地 Windows 主机的 Azure VM 之间进行创建。The tunnel is created between Azure VMs running Windows and on-premises Windows hosts. 本文中针对此配置的步骤使用组策略对象。The steps in this article for this configuration use group policy objects. 尽管无需使用组织单位 (OU) 和组策略对象 (GPO) 就可创建此配置。While it's possible to create this configuration without using organizational units (OUs) and group policy objects (GPOs). OU 和 GPO 的组合将有助于简化对安全策略的控制,并允许快速纵向扩展。The combination of OUs and GPOs will help simplify the control of your security policies and allows you to quickly scale up. 本文中的步骤假定你已具有 Active Directory 配置并且可以熟练使用 OU 和 GPO。The steps in this article assume you already have an Active Directory configuration and you're familiar with using OUs and GPOs.

关于此配置About this configuration

以下步骤中的配置使用具有 ExpressRoute 专用对等互连的单个 Azure 虚拟网络 (VNet)。The configuration in the following steps uses a single Azure virtual network (VNet) with ExpressRoute private peering. 但是,此配置可以跨越其他 Azure VNet 和本地网络。However, this configuration can span over other Azure VNets and on-premises networks. 本文有助于定义 IPsec 加密策略,该策略可以应用于一组 Azure VM 或本地主机。This article will help you define an IPsec encryption policy that you can apply to a group of Azure VMs or on-premises hosts. 这些 Azure VM 或本地主机是同一 OU 的一部分。These Azure VMs or on-premises hosts are part of the same OU. 仅针对目标端口为 8080 的 HTTP 流量,在 Auzre VM(vm1 和 vm2)和本地 host1 之间配置加密。You configure encryption between the Azure VMs (vm1 and vm2), and the on-premises host1 only for HTTP traffic with destination port 8080. 可以根据要求创建不同类型的 IPsec 策略。Different types of IPsec policy can be created based on your requirements.

使用 OUWorking with OUs

与 OU 关联的安全策略将通过 GPO 推送到计算机。The security policy associated with an OU is pushed to the computers via GPO. 与向单个主机应用策略相比,使用 OU 的几个优点是:A few advantages to using OUs, rather than applying policies to a single host, are:

  • 将策略与 OU 关联可保证属于相同 OU 的计算机获取相同的策略。Associating a policy with an OU guarantees that computers that belong to the same OU get the same policies.
  • 更改与 OU 关联的安全策略会将更改应用到 OU 中的所有主机。Changing the security policy associated with OU will apply the changes to all hosts in the OU.


下图显示了互连和分配的 IP 地址空间。The following diagram shows the interconnection and assigned IP address space. Azure VM 和本地主机运行的是 Windows 2016。The Azure VMs and the on-premises host are running Windows 2016. Azure VM 和本地 host1 是同一个域的一部分。The Azure VMs and the on-premises host1 are part of the same domain. Azure VM 和本地主机可以使用 DNS 正确地解析名称。The Azure VMs and the on-premises hosts can resolve names properly using DNS.


此图显示了 ExpressRoute 专用对等互连中正在传输的 IPsec 隧道。This diagram shows the IPsec tunnels in transit in ExpressRoute private peering.


使用 IPsec 策略Working with IPsec policy

在 Windows 中,加密是与 IPsec 策略相关联的。In Windows, encryption is associated with IPsec policy. IPsec 策略确定哪些 IP 流量是受保护的,以及应用于 IP 数据包的安全机制。IPsec policy determines which IP traffic is secured and the security mechanism applied to the IP packets. IPSec 策略由以下各项组成:筛选器列表、筛选器操作和安全规则。IPSec policies are composed of the following items: Filter Lists, Filter Actions, and Security Rules.

在配置 IPsec 策略时,请务必了解以下 IPsec 策略术语:When configuring IPsec policy, it's important to understand the following IPsec policy terminology:

  • IPsec 策略: 规则的集合。IPsec policy: A collection of rules. 在任意特定时间只能有一个策略处于活跃状态(“已分配”)。Only one policy can be active ("assigned") at any particular time. 每个策略可以有一个或多个规则,所有规则可同时启用。Each policy can have one or more rules, all of which can be active simultaneously. 一台计算机在给定的时间只能分配有一个活跃的 IPsec 策略。A computer can be assigned only one active IPsec policy at given time. 但是,在 IPsec 策略内,可以定义在不同情况下可能采取的多个操作。However, within the IPsec policy, you can define multiple actions that may be taken in different situations. 每个 IPsec 规则集与一个筛选器列表相关联,该列表影响规则所应用到的网络流量类型。Each set of IPsec rules is associated with a filter list that affects the type of network traffic to which the rule applies.

  • 筛选器列表: 筛选器列表是一个或多个筛选器的捆绑包。Filter lists: Filter lists are bundle of one or more filters. 一个列表可包含多个筛选器。One list can contain multiple filters. 筛选器基于以下条件定义是否阻止、允许或保护通信:IP 地址范围、协议,甚至是特定端口。A filter defines if the communication gets blocked, allowed, or secured based on the following criteria: IP address ranges, protocols, or even specific ports. 每个筛选器匹配一组特定的条件;例如,从特定子网发送到特定计算机上特定目标端口的数据包。Each filter matches a particular set of conditions; for example, packets sent from a particular subnet to a particular computer on a specific destination port. 当网络条件匹配这些筛选器中的一个或多个时,筛选器列表便被激活。When network conditions match one or more of those filters, the filter list is activated. 每个筛选器在特定筛选器列表内进行定义。Each filter is defined inside a specific filter list. 筛选器不能在筛选器列表之间共享。Filters can't be shared between filter lists. 但是,给定的筛选器列表可并入多个 IPsec 策略中。However, a given filter list can be incorporated into several IPsec policies.

  • 筛选器操作: 安全方法定义在 IKE 协议期间计算机提供的一组安全算法、协议和密钥。Filter actions: A security method defines a set of security algorithms, protocols, and key a computer offers during IKE negotiations. 筛选器操作是按优先顺序排列的安全方法列表。Filter actions are lists of security methods, ranked in order of preference. 在计算机协商 IPsec 会话时,它根据筛选器操作列表中存储的安全设置接受或发送方案。When a computer negotiates an IPsec session, it accepts or sends proposals based on the security setting stored in filter actions list.

  • 安全规则: 规则控制 IPsec 策略如何及何时保护通信。Security rules: Rules govern how and when an IPsec policy protects communication. 它使用筛选器列表和筛选器操作来创建 IPsec 规则以建立 IPsec 连接。It uses filter list and filter actions to create an IPsec rule to build the IPsec connection. 每个策略可以有一个或多个规则,所有规则可同时启用。Each policy can have one or more rules, all of which can be active simultaneously. 每个规则包含一个 IP 筛选器列表和一个在出现与该筛选器列表的匹配时发生的安全操作集合:Each rule contains a list of IP filters and a collection of security actions that take place upon a match with that filter list:

    • IP 筛选器操作IP Filter Actions
    • 身份验证方法Authentication methods
    • IP 隧道设置IP tunnel settings
    • 连接类型Connection types


准备阶段Before you begin

确保符合以下先决条件:Ensure that you meet the following prerequisites:

  • 必须拥有可用来实现组策略设置的正常运行的 Active Directory 配置。You must have a functioning Active Directory configuration that you can use to implement Group Policy settings. 有关 GPO 的详细信息,请参阅组策略对象For more information about GPOs, see Group Policy Objects.

  • 必须有一个活动的 ExpressRoute 线路。You must have an active ExpressRoute circuit.

    • 有关创建 ExpressRoute 线路的详细信息,请参阅创建 ExpressRoute 线路For information about creating an ExpressRoute circuit, see Create an ExpressRoute circuit.
    • 确认线路由连接提供程序启用。Verify that the circuit is enabled by your connectivity provider.
    • 确认已为线路配置 Azure 专用对等互连。Verify that you have Azure private peering configured for your circuit. 有关路由说明,请参阅配置路由一文。See the configure routing article for routing instructions.
    • 确认已创建并完全预配一个 VNet 和一个虚拟网络网关。Verify that you have a VNet and a virtual network gateway created and fully provisioned. 按照说明创建 ExpressRoute 的虚拟网络网关Follow the instructions to create a virtual network gateway for ExpressRoute. ExpressRoute 虚拟网络网关使用的 GatewayType 是“ExpressRoute”而非 VPN。A virtual network gateway for ExpressRoute uses the GatewayType 'ExpressRoute', not VPN.
  • ExpressRoute 虚拟网络网关必须连接到 ExpressRoute 线路。The ExpressRoute virtual network gateway must be connected to the ExpressRoute circuit. 有关详细信息,请参阅将 VNet 连接到 ExpressRoute 线路For more information, see Connect a VNet to an ExpressRoute circuit.

  • 确认 Azure Windows VM 部署到 VNet。Verify that the Azure Windows VMs are deployed to the VNet.

  • 确认在本地主机和 Azure VM 之间存在连接。Verify that there's connectivity between the on-premises hosts and the Azure VMs.

  • 确认 Azure Windows VM 和本地主机能够使用 DNS 正确解析名称。Verify that the Azure Windows VMs and the on-premises hosts can use DNS to properly resolve names.


  1. 创建 GPO 并将其关联到 OU。Create a GPO and associate it to the OU.
  2. 定义 IPsec 筛选器操作。Define an IPsec Filter Action.
  3. 定义 IPsec 筛选器列表。Define an IPsec Filter List.
  4. 创建具有安全规则的 IPsec 策略。Create an IPsec Policy with Security Rules.
  5. 将 IPsec GPO 分配到 OU。Assign the IPsec GPO to the OU.

示例值Example values

  • 域名: ipsectest.comDomain Name: ipsectest.com


  • 本地 Windows 计算机: host1On-premises Windows computer: host1

  • Azure Windows VM: vm1、vm2Azure Windows VMs: vm1, vm2

1.创建 GPO1. Create a GPO

  1. 通过打开“组策略管理”管理单元来创建链接到 OU 的新 GPO。Create a new GPO linked to an OU by opening the Group Policy Management snap-in. 然后找到该 GPO 将链接到的 OU。Then locate the OU to which the GPO will be linked. 在示例中,OU 名为“IPSecOU”。In the example, the OU is named IPSecOU.


  2. 在“组策略管理”管理单元中,选择 OU 并右键单击。In the Group Policy Management snap-in, select the OU, and right-click. 在下拉菜单中,选择“在此域中创建 GPO 并将其链接到此处...”。In the dropdown, select "Create a GPO in this domain, and Link it here…".


  3. 为 GPO 取一个直观的名称,以便可在之后轻松找到它。Name the GPO an intuitive name so that you can easily locate it later. 选择“确定”以创建并链接 GPO。Select OK to create and link the GPO.


若要将 GPO 应用到 OU,不仅该 GPO 必须链接到 OU,还必须启用启用该链接。To apply the GPO to the OU, the GPO must not only be linked to the OU, but the link must be also enabled.

  1. 找到创建的 GPO,右键单击,然后从下拉菜单中选择“编辑”。Locate the GPO that you created, right-click, and select Edit from the dropdown.

  2. 若要将 GPO 应用于 OU,请选择“已启用链接”。To apply the GPO to the OU, select Link Enabled.


3.定义 IP 筛选器操作3. Define the IP filter action

  1. 从下拉菜单中,右键单击“Active Directory 上的 IP 安全策略”,然后选择“管理 IP 筛选器列表和筛选器操作...” 。From the drop-down, right-click IP Security Policy on Active Directory, and then select Manage IP filter lists and filter actions....


  2. 在“管理筛选器操作”选项卡上,选择“添加” 。On the "Manage filter Actions" tab, select Add.


  3. 在“IP 安全筛选器操作向导”上,选择“下一步” 。On the IP Security Filter Action wizard, select Next.


  4. 为筛选器操作取一个直观的名称,以便可在之后找到它。Name the filter action an intuitive name so that you can find it later. 在本示例中,筛选器操作名为“myEncryption”。In this example, the filter action is named myEncryption. 还可以添加说明。You can also add a description. 然后,选择“下一步” 。Then, select Next.


  5. “协商安全性”允许定义在 IPsec 无法与另一台计算机成功建立时的行为。Negotiate security lets you define the behavior if IPsec can't be established with another computer. 选择“协商安全性”,然后单击“下一步” 。Select Negotiate security, then select Next.


  6. 在“与不支持 IPsec 的计算机通信”页上,选择“不允许不安全的通信”,然后选择“下一步” 。On the Communicating with computers that do not support IPsec page, select Do not allow unsecured communication, then select Next.


  7. 在“IP 流量和安全性”页上,选择“自定义”,然后单击“设置...” 。On the IP Traffic and Security page, select Custom, then select Settings....


  8. 在“自定义安全方法设置”页上,选择“数据完整性和加密 (ESP): SHA1、3DES”。On the Custom Security Method Settings page, select Data integrity and encryption (ESP): SHA1, 3DES. 选择“确定”。 Then, select OK.


  9. 在“管理筛选器操作”页上,可以看到“myEncryption”筛选器已成功添加。On the Manage Filter Actions page, you can see that the myEncryption filter was successfully added. 选择“关闭”。Select Close.


4.定义 IP 筛选器列表4. Define an IP filter list

创建指定目标端口为 8080 的已加密 HTTP 流量的筛选器列表。Create a filter list that specifies encrypted HTTP traffic with destination port 8080.

  1. 若要限定必须加密哪些类型的流量,请使用 IP 筛选器列表。To qualify which types of traffic must be encrypted, use an IP filter list. 在“管理 IP 筛选器列表”选项卡上,单击“添加”以添加新的 IP 筛选器列表 。In the Manage IP Filter Lists tab, select Add to add a new IP filter list.


  2. 在“名称”字段中,键入 IP 筛选器列表的名称。In the Name: field, type a name for your IP filter list. 例如,“azure-onpremises-HTTP8080”。For example, azure-onpremises-HTTP8080. 然后选择“添加”。Then, select Add.


  3. 在“IP 筛选器描述和镜像属性”页上,选择“镜像”。On the IP Filter Description and Mirrored property page, select Mirrored. 镜像设置匹配两个方向的数据包,这使得可以进行双向通信。The mirrored setting matches packets going in both directions, which allows for two-way communication. 然后选择“下一步”。Then select Next.


  4. 在“IP 流量源”页上,从“源地址:”下拉菜单中,选择“特定的 IP 地址或子网”。On the IP Traffic Source page, from the Source address: dropdown, choose A specific IP Address or Subnet.


  5. 指定 IP 流量的“IP 地址或子网:”,然后单击“下一步” 。Specify the source address IP Address or Subnet: of the IP traffic, then select Next.


  6. 指定“目标地址:”IP 地址或子网。Specify the Destination address: IP Address or Subnet. 然后,选择“下一步” 。Then, select Next.


  7. 在“IP 协议类型”页上,选择“TCP”。On the IP Protocol Type page, select TCP. 然后,选择“下一步” 。Then, select Next.


  8. 在“IP 协议端口”页上,选择“从任意端口”和“至此端口:”。On the IP Protocol Port page, select From any port and To this port:. 在文本框中键入“8080”。Type 8080 in the text box. 这些设置指定仅目标端口 8080 上的 HTTP 流量将被加密。These settings specify only the HTTP traffic on destination port 8080 will be encrypted. 然后,选择“下一步” 。Then, select Next.


  9. 查看 IP 筛选器列表。View the IP filter list. IP 筛选器列表“azure-onpremises-HTTP8080”的配置为所有匹配以下条件的流量触发加密:The configuration of the IP Filter List azure-onpremises-HTTP8080 triggers encryption for all traffic that matches the following criteria:

    • (Azure Subnet2) 中的任意源地址Any source address in (Azure Subnet2)
    •本地子网)中的任意目标地址Any destination address in (on-premises subnet)
    • TCP 协议TCP protocol
    • 目标端口 8080Destination port 8080


5.编辑 IP 筛选器列表5. Edit the IP filter list

若要加密从本地主机到 Azure VM 的同一类型的流量,需要第二个 IP 筛选器。To encrypt the same type of traffic from the on-premises host to the Azure VM, you need a second IP filter. 按照与设置第一个 IP 筛选器相同的步骤操作,并创建新的 IP 筛选器。Follow the same steps you used for setting up the first IP filter and create a new IP filter. 唯一的区别是源子网和目标子网。The only differences are the source subnet and destination subnet.

  1. 若要将新的 IP 筛选器添加到 IP 筛选器列表中,请选择“编辑”。To add a new IP filter to the IP Filter List, select Edit.


  2. 在“IP 筛选器列表”页上,选择“添加” 。On the IP Filter List page, select Add.


  3. 使用以下示例中的设置创建第二个 IP 筛选器:Create a second IP filter using the settings in the following example:


  4. 创建第二个 IP 筛选器后,IP 筛选器列表将如下所示:After you create the second IP filter, the IP filter list will look like this:


如果本地位置和 Azure 子网之间需要加密以保护应用程序。If encryption is required between an on-premises location and an Azure subnet to protect an application. 可以添加新的 IP 筛选器列表,而不是修改现有的 IP 筛选器列表。Instead of modifying the existing IP filter list, you can add a new IP filter list. 将两个或多个 IP 筛选器列表关联到同一 IPsec 策略将提供更大的灵活性。Associating two or more IP filters lists to the same IPsec policy will provide you with more flexibility. 可以修改或删除 IP 筛选器列表,而不会影响其他 IP 筛选器列表。You can modify or remove an IP filter list without affecting the other IP filter lists.

6.创建 IPsec 安全策略6. Create an IPsec security policy

创建具有安全规则的 IPsec 策略Create an IPsec policy with security rules.

  1. 选择与 OU 相关联的“Active Directory 上的 IPSecurity 策略”。Select the IPSecurity Policies on Active directory that is associated with the OU. 右键单击,然后选择“创建 IP 安全策略”。Right-click, and select Create IP Security Policy.


  2. 命名安全策略。Name the security policy. 例如,“policy-azure-onpremises”。For example, policy-azure-onpremises. 然后,选择“下一步” 。Then, select Next.


  3. 选择“下一步”,无需选中复选框。Select Next without selecting the checkbox.


  4. 确认已选中“编辑属性”复选框,然后选择“完成” 。Verify that the Edit properties checkbox is selected, and then select Finish.


7.编辑 IPsec 安全策略7. Edit the IPsec security policy

将 IPsec 策略添加到之前配置的 IP 筛选器列表和筛选器操作。Add to the IPsec policy the IP Filter List and Filter Action that you previously configured.

  1. 在 HTTP 策略属性“规则”选项卡上,选择“添加” 。On the HTTP policy Properties Rules tab, select Add.


  2. 在“欢迎”页上,选择“下一步”。On the Welcome page, select Next.


  3. 规则提供选项来定义 IPsec 模式:隧道模式或传输模式。A rule provides the option to define the IPsec mode: tunnel mode or transport mode.

    • 在隧道模式下,原始数据包由一组 IP 标头封装。In tunnel mode, the original packet is encapsulated by a set of IP headers. 隧道模式通过加密原始数据包的 IP 标头来保护内部路由信息。Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. 隧道模式在站点到站点 VPN 场景中的网关之间广泛实现。Tunnel mode is widely implemented between gateways in site-to-site VPN scenarios. 隧道模式在大多数情况下用于主机之间的端到端加密。Tunnel mode is in most of cases used for end-to-end encryption between hosts.

    • 传输模式仅加密有效负载和 ESP 尾部;不会加密原始数据包的 IP 标头。Transport mode encrypts only the payload and ESP trailer; the IP header of the original packet isn't encrypted. 在传输模式下,数据包的 IP 源和 IP 目标不变。In transport mode, the IP source and IP destination of the packets are unchanged.

    选择“此规则不指定隧道”,然后选择“下一步” 。Select This rule does not specify a tunnel, and then select Next.


  4. “网络类型”定义哪些网络连接与安全策略关联。Network Type defines which network connection associates with the security policy. 选择“所有网络连接”,然后选择“下一步” 。Select All network connections, and then select Next.


  5. 选择之前创建的 IP 筛选器列表“azure-onpremises-HTTP8080”,然后选择“下一步” 。Select the IP filter list that you created previously, azure-onpremises-HTTP8080, and then select Next.


  6. 选择之前创建的现有筛选器操作“myEncryption”。Select the existing Filter Action myEncryption that you created previously.


  7. Windows 支持四种不同类型的身份验证:Kerberos、证书、NTLMv2 和预共享密钥。Windows supports four distinct types of authentications: Kerberos, certificates, NTLMv2, and pre-shared key. 由于我们使用的是已加入域的主机,因此选择“Active Directory 默认(Kerberos V5 协议)”,然后选择“下一步” 。Since we're working with domain-joined hosts, select Active Directory default (Kerberos V5 protocol), and then select Next.


  8. 新的策略会创建安全规则:“azure-onpremises-HTTP8080”。The new policy creates the security rule: azure-onpremises-HTTP8080. 选择“确定”。Select OK.


IPsec 策略要求目标端口 8080 上的所有 HTTP 连接使用 IPsec 传输模式。The IPsec policy requires all HTTP connections on the destination port 8080 to use IPsec transport mode. 由于 HTTP 是明文协议,因此启用安全策略可确保数据通过 ExpressRoute 专用对等互连传输时处于加密状态。Since HTTP is a clear text protocol, having the security policy enabled, ensures data is encrypted when being transferred through the ExpressRoute private peering. 与高级安全 Windows 防火墙相比,配置 Active Directory 的 IPsec 策略更复杂。IPsec policy for Active Directory is more complex to configure than Windows Firewall with Advanced Security. 但可以对 IPsec 连接进行更多自定义。However, it allows for more customization of the IPsec connection.

8.将 IPsec GPO 分配到 OU8. Assign the IPsec GPO to the OU

  1. 查看策略。View the policy. 安全组策略已定义,但尚未分配。The security group policy is defined, but not yet assigned.


  2. 要将安全组策略分配到 OU IPSecOU,请右键单击安全策略并选择“分配”。To assign the security group policy to the OU IPSecOU, right-click the security policy and chose Assign. 属于 OU 的每个计算机都将分配有该安全组策略。Every computer tht belongs to the OU will have the security group policy assigned.


检查流量加密Check traffic encryption

若要查看应用于 OU 的加密 GPO,请在所有 Azure VM 上和 host1 中安装 IIS。To check out the encryption GPO applied on the OU, install IIS on all Azure VMs and in the host1. 每个 IIS 均自定义为答复端口 8080 上的 HTTP 请求。Every IIS is customized to answer to HTTP requests on port 8080. 若要验证加密,可以在 OU 中的所有计算机中安装网络探查器(如 Wireshark)。To verify encryption, you can install a network sniffer (like Wireshark) in all computers in the OU. Powershell 脚本充当 HTTP 客户端以在端口 8080 上生成 HTTP 请求:A powershell script works as an HTTP client to generate HTTP requests on port 8080:

$url = ""
while ($true) {
try {
$req = [net.webRequest]::create($url)
$req.method = "GET"
$req.ContentType = "application/x-www-form-urlencoded"
$req.TimeOut = 60000

$start = get-date
[net.httpWebResponse] $res = $req.getResponse()
$timetaken = ((get-date) - $start).TotalMilliseconds

Write-Output $res.Content
Write-Output ("{0} {1} {2}" -f (get-date), $res.StatusCode.value__, $timetaken)
$req = $null
$res = $null
} catch [Exception] {
Write-Output ("{0} {1}" -f (get-date), $_.ToString())
$req = $null

# uncomment the line below and change the wait time to add a pause between requests
#Start-Sleep -Seconds 1

以下网络捕获显示本地 host1 的结果,并显示仅匹配已加密流量的筛选器 ESP:The following network capture shows the results for on-premises host1 with display filter ESP to match only the encrypted traffic:


如果运行本地 Powershell 脚本(HTTP 客户端),Azure VM 中的网络捕获将显示类似的跟踪。If you run the powershell script on-premisies (HTTP client), the network capture in the Azure VM shows a similar trace.

后续步骤Next steps

有关 ExpressRoute 的详细信息,请参阅 ExpressRoute 常见问题For more information about ExpressRoute, see the ExpressRoute FAQ.