用于 IPsec 连接的虚拟 WAN 默认策略Virtual WAN default policies for IPsec connectivity

本文介绍支持的 IPsec 策略组合。This article shows the supported IPsec policy combinations.

默认的 IPsec 策略Default IPsec policies

Note

使用默认策略时,Azure 可以在 IPsec 隧道设置过程中同时充当发起方和响应方。When working with Default policies, Azure can act as both initiator and responder during an IPsec tunnel setup. 不支持仅将 Azure 作为响应方。There is no support for Azure as a responder only.

InitiatorInitiator

以下部分列出了 Azure 作为隧道发起程序时支持的策略组合。The following sections list the supported policy combinations when Azure is the initiator for the tunnel.

阶段 1Phase-1

  • AES_256, SHA1, DH_GROUP_2AES_256, SHA1, DH_GROUP_2
  • AES_256, SHA_256, DH_GROUP_2AES_256, SHA_256, DH_GROUP_2
  • AES_128, SHA1, DH_GROUP_2AES_128, SHA1, DH_GROUP_2
  • AES_128, SHA_256, DH_GROUP_2AES_128, SHA_256, DH_GROUP_2

阶段 2Phase-2

  • GCM_AES_256, GCM_AES_256, PFS_NONEGCM_AES_256, GCM_AES_256, PFS_NONE
  • AES_256, SHA_1, PFS_NONEAES_256, SHA_1, PFS_NONE
  • AES_256, SHA_256, PFS_NONEAES_256, SHA_256, PFS_NONE
  • AES_128, SHA_1, PFS_NONEAES_128, SHA_1, PFS_NONE

响应方Responder

以下部分列出了 Azure 作为隧道响应方时支持的策略组合。The following sections list the supported policy combinations when Azure is the responder for the tunnel.

阶段 1Phase-1

  • AES_256, SHA1, DH_GROUP_2AES_256, SHA1, DH_GROUP_2
  • AES_256, SHA_256, DH_GROUP_2AES_256, SHA_256, DH_GROUP_2
  • AES_128, SHA1, DH_GROUP_2AES_128, SHA1, DH_GROUP_2
  • AES_128, SHA_256, DH_GROUP_2AES_128, SHA_256, DH_GROUP_2

阶段 2Phase-2

  • GCM_AES_256, GCM_AES_256, PFS_NONEGCM_AES_256, GCM_AES_256, PFS_NONE
  • AES_256, SHA_1, PFS_NONEAES_256, SHA_1, PFS_NONE
  • AES_256, SHA_256, PFS_NONEAES_256, SHA_256, PFS_NONE
  • AES_128, SHA_1, PFS_NONEAES_128, SHA_1, PFS_NONE
  • AES_256, SHA_1, PFS_1AES_256, SHA_1, PFS_1
  • AES_256, SHA_1, PFS_2AES_256, SHA_1, PFS_2
  • AES_256, SHA_1, PFS_14AES_256, SHA_1, PFS_14
  • AES_128, SHA_1, PFS_1AES_128, SHA_1, PFS_1
  • AES_128, SHA_1, PFS_2AES_128, SHA_1, PFS_2
  • AES_128, SHA_1, PFS_14AES_128, SHA_1, PFS_14
  • AES_256, SHA_256, PFS_1AES_256, SHA_256, PFS_1
  • AES_256, SHA_256, PFS_2AES_256, SHA_256, PFS_2
  • AES_256, SHA_256, PFS_14AES_256, SHA_256, PFS_14
  • AES_256, SHA_1, PFS_24AES_256, SHA_1, PFS_24
  • AES_256, SHA_256, PFS_24AES_256, SHA_256, PFS_24
  • AES_128, SHA_256, PFS_NONEAES_128, SHA_256, PFS_NONE
  • AES_128, SHA_256, PFS_1AES_128, SHA_256, PFS_1
  • AES_128, SHA_256, PFS_2AES_128, SHA_256, PFS_2
  • AES_128, SHA_256, PFS_14AES_128, SHA_256, PFS_14

自定义 IPsec 策略Custom IPsec policies

使用自定义 IPsec 策略时,请记住以下要求:When working with custom IPsec policies, keep in mind the following requirements:

  • IKE - 对于 IKE,你可以从“IKE 加密”中选择任何参数、从“IKE 完整性”中选择任何参数,以及从“DH 组”中选择任何参数。IKE - For IKE, you can select any parameter from IKE Encryption, plus any parameter from IKE Integrity, plus any parameter from DH Group.
  • IPsec - 对于 IPsec,你可以从“IPsec 加密”中选择任何参数,还可以再从“IPsec 完整性”中选择任何参数,还可以再选择“PFS”。IPsec - For IPsec, you can select any parameter from IPsec Encryption, plus any parameter from IPsec Integrity, plus PFS. 如果“IPsec 加密”或“IPsec 完整性”的任一参数是 GCM,则这两个设置的参数必须都是 GCM。If any of the parameters for IPsec Encryption or IPsec Integrity is GCM, then the parameters for both settings must be GCM.

Note

对于自定义 IPsec 策略,不存在响应方和发起方的概念(与默认 IPsec 策略不同)。With Custom IPsec policies, there is no concept of responder and initiator (unlike Default IPsec policies). 两端(本地和 Azure VPN 网关)将对“IKE 阶段 1”和“IKE 阶段 2”使用相同的设置。Both sides (on-premises and Azure VPN gateway) will use the same settings for IKE Phase 1 and IKE Phase 2. IKEv1 协议和 IKEv2 协议均受支持。Both IKEv1 and IKEv2 protocols are supported. 不支持仅将 Azure 作为响应方。There is no support for Azure as a responder only.

可用的设置和参数Available settings and parameters

设置Setting parametersParameters
IKE 加密IKE Encryption AES256、AES192、AES128AES256, AES192, AES128
IKE 完整性IKE Integrity SHA384、SHA256、SHA1SHA384, SHA256, SHA1
DH 组DH Group DHGroup24、ECP384、ECP256、DHGroup14、DHGroup2048、DHGroup2DHGroup24, ECP384, ECP256, DHGroup14, DHGroup2048, DHGroup2
IPsec 加密IPsec Encryption GCMAES256、GCMAES192、GCMAES128、AES256、AES192、AES128GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128
IPsec 完整性IPsec Integrity GCMASE256、GCMAES192、GCMAES128、SHA256、SHA1GCMASE256, GCMAES192, GCMAES128, SHA256, SHA1
PFS 组PFS Group PFS24、ECP384、ECP256、PFS2048、PFS2PFS24, ECP384, ECP256, PFS2048, PFS2

后续步骤Next steps

有关虚拟 WAN 的详细信息,请参阅关于 Azure 虚拟 WANAzure 虚拟 WAN 常见问题解答For more information about Virtual WAN, see About Azure Virtual WAN and the Azure Virtual WAN FAQ.