合作伙伴 VPN 设备配置概述Overview of partner VPN device configurations

本文提供有关配置用于连接到 Azure VPN 网关的本地 VPN 设备的概述。This article provides an overview of configuring on-premises VPN devices for connecting to Azure VPN gateways. 示例 Azure 虚拟网络和 VPN 网关设置用于演示如何使用相同参数连接到不同的本地 VPN 设备配置。A sample Azure virtual network and VPN gateway setup is used to show you how to connect to different on-premises VPN device configurations by using the same parameters.

设备要求Device requirements

Azure VPN 网关使用标准 IPsec/IKE 协议套件建立站点到站点 (S2S) VPN 隧道。Azure VPN gateways use standard IPsec/IKE protocol suites for site-to-site (S2S) VPN tunnels. 若要获取 Azure VPN 网关的 IPsec/IKE 参数和加密算法列表,请参阅关于 VPN 设备For a list of IPsec/IKE parameters and cryptographic algorithms for Azure VPN gateways, see About VPN devices. 还可以根据关于加密要求中所述,为特定的连接指定确切的算法与密钥长度。You can also specify the exact algorithms and key strengths for a specific connection as described in About cryptographic requirements.

单一 VPN 隧道Single VPN tunnel

示例中的首个配置由 Azure VPN 网关与本地 VPN 设备之间的单个 S2S VPN 隧道构成。The first configuration in the sample consists of a single S2S VPN tunnel between an Azure VPN gateway and an on-premises VPN device. 可选择性配置跨 VPN 隧道的边界网关协议(BGP)You can optionally configure the Border Gateway Protocol (BGP) across the VPN tunnel.

单一 S2S VPN 隧道图示

有关设置单一 VPN 隧道的分布说明,请参阅配置站点到站点连接For step-by-step instructions to set up a single VPN tunnel, see Configure a site-to-site connection. 以下部分指定示例配置的连接参数,并提供 PowerShell 脚本来帮助读者入门。The following sections specify the connection parameters for the sample configuration and provide a PowerShell script to help you get started.

连接参数Connection parameters

本部分列出了前几部分中示例中所用的参数。This section lists the parameters for the examples that are described in the previous sections.

ParameterParameter Value
虚拟网络地址前缀Virtual network address prefixes 10.11.0.0/1610.11.0.0/16
10.12.0.0/1610.12.0.0/16
Azure VPN 网关 IPAzure VPN gateway IP Azure VPN 网关 IPAzure VPN Gateway IP
本地地址前缀On-premises address prefixes 10.51.0.0/1610.51.0.0/16
10.52.0.0/1610.52.0.0/16
本地 VPN 设备 IPOn-premises VPN device IP 本地 VPN 设备 IPOn-premises VPN device IP
* 虚拟网络 BGP ASN* Virtual network BGP ASN 6501065010
* Azure BGP 对等 IP* Azure BGP peer IP 10.12.255.3010.12.255.30
* 本地 BGP ASN* On-premises BGP ASN 6505065050
* 本地 BGP 对等 IP* On-premises BGP peer IP 10.52.255.25410.52.255.254

* 仅适用于 BGP 的可选参数。* Optional parameter for BGP only.

示例 PowerShell 脚本Sample PowerShell script

本部分提供入门示例脚本。This section provides a sample script to get you started. 有关详细说明,请参阅使用 PowerShell 创建 S2S VPN 连接For detailed instructions, see Create an S2S VPN connection by using PowerShell.

# Declare your variables

$Sub1          = "Replace_With_Your_Subscription_Name"
$RG1           = "TestRG1"
$Location1     = "China East 2"
$VNetName1     = "TestVNet1"
$FESubName1    = "FrontEnd"
$BESubName1    = "Backend"
$GWSubName1    = "GatewaySubnet"
$VNetPrefix11  = "10.11.0.0/16"
$VNetPrefix12  = "10.12.0.0/16"
$FESubPrefix1  = "10.11.0.0/24"
$BESubPrefix1  = "10.12.0.0/24"
$GWSubPrefix1  = "10.12.255.0/27"
$VNet1ASN      = 65010
$DNS1          = "8.8.8.8"
$GWName1       = "VNet1GW"
$GWIPName1     = "VNet1GWIP"
$GWIPconfName1 = "gwipconf1"
$Connection15  = "VNet1toSite5"
$LNGName5      = "Site5"
$LNGPrefix50   = "10.52.255.254/32"
$LNGPrefix51   = "10.51.0.0/16"
$LNGPrefix52   = "10.52.0.0/16"
$LNGIP5        = "Your_VPN_Device_IP"
$LNGASN5       = 65050
$BGPPeerIP5    = "10.52.255.254"

# Connect to your subscription and create a new resource group

Connect-AzAccount -Environment AzureChinaCloud
Select-AzSubscription -SubscriptionName $Sub1
New-AzResourceGroup -Name $RG1 -Location $Location1

# Create virtual network

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1 $besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
$gwsub1 = New-AzVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1

New-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 -Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1

# Create VPN gateway

$gwpip1    = New-AzPublicIpAddress -Name $GWIPName1 -ResourceGroupName $RG1 -Location $Location1 -AllocationMethod Dynamic
$vnet1     = Get-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1
$subnet1   = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1
$gwipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName1 -Subnet $subnet1 -PublicIpAddress $gwpip1

New-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 -Location $Location1 -IpConfigurations $gwipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1 -Asn $VNet1ASN

# Create local network gateway

New-AzLocalNetworkGateway -Name $LNGName5 -ResourceGroupName $RG1 -Location $Location1 -GatewayIpAddress $LNGIP5 -AddressPrefix $LNGPrefix51,$LNGPrefix52 -Asn $LNGASN5 -BgpPeeringAddress $BGPPeerIP5

# Create the S2S VPN connection

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1  -ResourceGroupName $RG1
$lng5gw  = Get-AzLocalNetworkGateway -Name $LNGName5 -ResourceGroupName $RG1

New-AzVirtualNetworkGatewayConnection -Name $Connection15 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng5gw -Location $Location1 -ConnectionType IPsec -SharedKey 'AzureA1b2C3' -EnableBGP $False

(可选)结合“UsePolicyBasedTrafficSelectors”使用自定义 IPsec/IKE 策略(Optional) Use custom IPsec/IKE policy with UsePolicyBasedTrafficSelectors

如果 VPN 设备不支持“任意到任意”流量选择器(例如基于路由或基于 VTI 的配置),请创建自定义 IPsec/IKE 策略并配置“UsePolicyBasedTrafficSelectors”选项。If your VPN devices don't support any-to-any traffic selectors, such as route-based or VTI-based configurations, create a custom IPsec/IKE policy with the UsePolicyBasedTrafficSelectors option.

Important

需创建 IPsec/IKE 策略,才能对连接启用“UsePolicyBasedTrafficSelectors”选项 。You must create an IPsec/IKE policy to enable the UsePolicyBasedTrafficSelectors option on the connection.

示例脚本使用以下算法和参数创建 IPsec/IKE 策略:The sample script creates an IPsec/IKE policy with the following algorithms and parameters:

  • IKEv2:AES256、SHA384、DHGroup24IKEv2: AES256, SHA384, DHGroup24
  • IPsec:AES256、SHA1、PFS24、SA 生存期 7200 秒和 20480000KB (20GB)IPsec: AES256, SHA1, PFS24, SA Lifetime 7,200 seconds, and 20,480,000 KB (20 GB)

该脚本应用 IPsec/IKE 策略,并对连接启用“UsePolicyBasedTrafficSelectors”选项 。The script applies the IPsec/IKE policy and enables the UsePolicyBasedTrafficSelectors option on the connection.

$ipsecpolicy5 = New-AzIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup PFS24 -SALifeTimeSeconds 7200 -SADataSizeKilobytes 20480000

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1  -ResourceGroupName $RG1
$lng5gw  = Get-AzLocalNetworkGateway -Name $LNGName5 -ResourceGroupName $RG1

New-AzVirtualNetworkGatewayConnection -Name $Connection15 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng5gw -Location $Location1 -ConnectionType IPsec -SharedKey 'AzureA1b2C3' -EnableBGP $False -IpsecPolicies $ipsecpolicy5 -UsePolicyBasedTrafficSelectors $True

(可选)在 S2S VPN 连接中使用 BGP(Optional) Use BGP on S2S VPN connection

创建 S2S VPN 连接时,可选择性地使用用于 VPN 网关的 BGPWhen you create the S2S VPN connection, you can optionally use BGP for the VPN gateway. 这种方法有两点不同:This approach has two differences:

  • 本地地址前缀可以是单个主机地址。The on-premises address prefixes can be a single host address. 本地 BGP 对等 IP 地址指定如下:The on-premises BGP peer IP address is specified as follows:

    New-AzLocalNetworkGateway -Name $LNGName5 -ResourceGroupName $RG1 -Location $Location1 -GatewayIpAddress $LNGIP5 -AddressPrefix $LNGPrefix50 -Asn $LNGASN5 -BgpPeeringAddress $BGPPeerIP5
    
  • 在创建连接时,必须将“-EnableBGP”选项设置为 $True :When you create the connection, you must set the -EnableBGP option to $True:

    New-AzVirtualNetworkGatewayConnection -Name $Connection15 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng5gw -Location $Location1 -ConnectionType IPsec -SharedKey 'AzureA1b2C3' -EnableBGP $True
    

后续步骤Next steps

有关设置主动 - 主动 VPN 网关的分布说明,请参阅为跨界连接和 VNet 到 VNet 连接配置主动 - 主动 VPN 网关For step-by-step instructions to set up active-active VPN gateways, see Configuring active-active VPN gateways for cross-premises and VNet-to-VNet connections.