为点到站点创建和设置自定义 IPsec 策略(预览版)Create and set custom IPsec policies for Point-to-Site (preview)

如果你的环境需要自定义 IPsec 策略来用于加密,则可以轻松地使用所需设置来配置策略对象。If your environment requires a custom IPsec policy for encryption, you can easily configure a policy object with the required settings. 本文可帮助你创建自定义策略对象,然后使用 PowerShell 对其进行设置。This article helps you create a custom policy object, and then set it using PowerShell.

准备阶段Before you begin

先决条件Prerequisites

验证你的环境是否满足以下先决条件:Verify that your environment meets the following prerequisites:

  • 你已配置正常运行的点到站点 VPN。You have a functioning point-to-site VPN already configured. 如果未配置,请使用 PowerShellAzure 门户,按照“创建点到站点 VPN”一文中的步骤创建一个。If you don't, configure one using the steps the Create a point-to-site VPN article using either PowerShell, or the Azure portal.

使用 Azure PowerShellWorking with Azure PowerShell

可以在计算机本地安装并运行 Azure PowerShell cmdlet。You can install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlet 经常更新。PowerShell cmdlets are updated frequently. 如果尚未安装最新版本,说明中指定的值可能会导致出错。If you have not installed the latest version, the values specified in the instructions may fail. 若要查找计算机上安装的 Azure PowerShell 的版本,请使用 Get-Module -ListAvailable Az cmdlet。To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. 若要进行安装或更新,请参阅安装 Azure PowerShell 模块To install or update, see Install the Azure PowerShell module.

1.设置变量1. Set variables

声明要使用的变量。Declare the variables that you want to use. 使用以下示例,根据需要将值替换为自己的值。Use the following sample, replacing the values for your own when necessary. 如果在练习期间的任何时候关闭了 PowerShell 会话,只需再次复制和粘贴这些值,以重新声明变量。If you close your PowerShell session at any point during the exercise, just copy and paste the values again to redeclare the variables.

$RG = "TestRG"
$GWName = "VNet1GW"

2.创建策略对象2. Create policy object

创建自定义 IPsec 策略对象。Create a custom IPsec policy object. 可以调整值以满足所需的条件。You can adjust the values to meet the criteria you require.

$vpnclientipsecpolicy = New-AzVpnClientIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA256 -SALifeTime 86471 -SADataSize 429496 -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup2 -PfsGroup PFS2

3.更新网关并设置策略3. Update gateway and set policy

在此步骤中,更新现有 P2S VPN 网关,并设置 IPsec 策略。In this step, update your existing P2S VPN gateway and set the IPsec policy.

$gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -name $GWName
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway -VpnClientIpsecPolicy $vpnclientipsecpolicy

后续步骤Next steps

有关 P2S 配置的详细信息,请参阅关于点到站点 VPNFor more information about P2S configurations, see About Point-to-Site VPN.