关于加密要求和 Azure VPN 网关About cryptographic requirements and Azure VPN gateways

本文介绍如何配置 Azure VPN 网关,满足 Azure 中跨界 S2S VPN 隧道和 VNet 到 VNet 连接的加密要求。This article discusses how you can configure Azure VPN gateways to satisfy your cryptographic requirements for both cross-premises S2S VPN tunnels and VNet-to-VNet connections within Azure.

关于用于 Azure VPN 连接的 IKEv1 和 IKEv2About IKEv1 and IKEv2 for Azure VPN connections

传统上,我们只允许将 IKEv1 连接用于基本 SKU,允许将 IKEv2 连接用于除基本 SKU 之外的所有 VPN 网关 SKU。Traditionally we allowed IKEv1 connections for Basic SKUs only and allowed IKEv2 connections for all VPN gateway SKUs other than Basic SKUs. 基本 SKU 只允许使用 1 个连接,并且有其他限制(例如性能限制)。使用只支持 IKEv1 协议的旧设备的客户其体验会受限。The Basic SKUs allow only 1 connection and along with other limitations such as performance, customers using legacy devices that support only IKEv1 protocols were having limited experience. 为了增强使用 IKEv1 协议的客户的体验,我们现在允许将 IKEv1 连接用于除基本 SKU 之外的所有 VPN 网关 SKU。In order to enhance the experience of customers using IKEv1 protocols, we are now allowing IKEv1 connections for all of the VPN gateway SKUs, except Basic SKU. 有关详细信息,请参阅 VPN 网关 SKUFor more information, see VPN Gateway SKUs.

Azure VPN 网关 IKEv1 和 IKEv2 连接

将 IKEv1 和 IKEv2 连接应用到同一 VPN 网关时,会自动启用这两个连接之间的传输。When IKEv1 and IKEv2 connections are applied to the same VPN gateway, the transit between these two connections is auto-enabled.

关于 Azure VPN 网关的 IPsec 和 IKE 策略参数About IPsec and IKE policy parameters for Azure VPN gateways

IPsec 和 IKE 协议标准支持采用各种组合的各种加密算法。IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations. 如果不要求使用特定加密算法和参数组合,则 Azure VPN 网关会使用一组默认方案。If you do not request a specific combination of cryptographic algorithms and parameters, Azure VPN gateways use a set of default proposals. 选择默认策略集,最大限度地实现默认配置中各种第三方 VPN 设备的互操作性。The default policy sets were chosen to maximize interoperability with a wide range of third-party VPN devices in default configurations. 因此,策略和方案数无法涵盖所有可能的可用加密算法和密钥强度组合。As a result, the policies and the number of proposals cannot cover all possible combinations of available cryptographic algorithms and key strengths.

默认策略Default policy

文章中列出了 Azure VPN 网关的默认策略集:关于用于站点到站点 VPN 网关连接的 VPN 设备和 IPsec/IKE 参数The default policy set for Azure VPN gateway is listed in the article: About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections.

加密要求Cryptographic requirements

对于需特定加密算法或参数的通信,通常由于符合性或安全性要求,你现在可配置其 Azure VPN 网关,使用具有特定加密算法和密钥强度的自定义 IPsec/IKE 策略,而不是使用 Azure 默认策略集。For communications that require specific cryptographic algorithms or parameters, typically due to compliance or security requirements, you can now configure their Azure VPN gateways to use a custom IPsec/IKE policy with specific cryptographic algorithms and key strengths, rather than the Azure default policy sets.

例如,Azure VPN 网关的 IKEv2 主模式策略仅使用 Diffie-Hellman 组 2(1024 位),而你可能需要指定更强的组用于 IKE,例如组 14(2048 位)、组 24(2048 位 MODP 组)或 ECP(椭圆曲线组)256 或 384 位(分别为组 19 和组 20)。For example, the IKEv2 main mode policies for Azure VPN gateways utilize only Diffie-Hellman Group 2 (1024 bits), whereas you may need to specify stronger groups to be used in IKE, such as Group 14 (2048-bit), Group 24 (2048-bit MODP Group), or ECP (elliptic curve groups) 256 or 384 bit (Group 19 and Group 20, respectively). 类似的要求也适用于 IPsec 快速模式策略。Similar requirements apply to IPsec quick mode policies as well.

借助 Azure VPN 网关自定义 IPsec/IKE 策略Custom IPsec/IKE policy with Azure VPN gateways

Azure VPN 网关现支持根据连接自定义 IPsec/IKE 策略。Azure VPN gateways now support per-connection, custom IPsec/IKE policy. 对于站点到站点或 VNet 到 VNet 连接,可为具有所需密钥强度的 IPsec 和 IKE 选择特定加密算法组合,如下例所示:For a Site-to-Site or VNet-to-VNet connection, you can choose a specific combination of cryptographic algorithms for IPsec and IKE with the desired key strength, as shown in the following example:

ipsec-ike-policy

可创建 IPsec/IKE 策略并将其应用于新的或现有的连接。You can create an IPsec/IKE policy and apply to a new or existing connection.

工作流Workflow

  1. 为连接拓扑创建虚拟网络、VPN 网关或本地网络网关,如其他操作文档所述Create the virtual networks, VPN gateways, or local network gateways for your connectivity topology as described in other how-to documents
  2. 创建 IPsec/IKE 策略Create an IPsec/IKE policy
  3. 可在创建 S2S 或 VNet 到 VNet 连接时应用该策略You can apply the policy when you create a S2S or VNet-to-VNet connection
  4. 如已创建连接,可对现有连接应用或更新策略If the connection is already created, you can apply or update the policy to an existing connection

IPsec/IKE 策略常见问题解答IPsec/IKE policy FAQ

是否所有 Azure VPN 网关 SKU 都支持自定义 IPsec/IKE 策略?Is Custom IPsec/IKE policy supported on all Azure VPN Gateway SKUs?

除基本 SKU 外,所有 Azure SKU 都支持自定义 IPsec/IKE 策略。Custom IPsec/IKE policy is supported on all Azure SKUs except the Basic SKU.

在一个连接上可以指定多少个策略?How many policies can I specify on a connection?

只能对一个给定的连接指定一个策略组合。You can only specify *one _ policy combination for a given connection.

能否在一个连接上指定部分策略?Can I specify a partial policy on a connection? (例如,仅指定 IKE 算法,不指定 IPsec)(for example, only IKE algorithms, but not IPsec)

否,必须指定 IKE(主模式)和 IPsec(快速模式)的所有算法和参数。No, you must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). 不允许指定部分策略。Partial policy specification is not allowed.

自定义策略中支持的算法和密钥强度有哪些?What are the algorithms and key strengths supported in the custom policy?

下表列出了支持的加密算法和密钥强度,客户可自行配置。The following table lists the supported cryptographic algorithms and key strengths configurable by the customers. 必须为每个字段选择一个选项。You must select one option for every field.

IPsec/IKEv2*_ IPsec/IKEv2* 选项Options
IKEv2 加密IKEv2 Encryption AES256、AES192、AES128、DES3、DESAES256, AES192, AES128, DES3, DES
IKEv2 完整性IKEv2 Integrity SHA384、SHA256、SHA1、MD5SHA384, SHA256, SHA1, MD5
DH 组DH Group DHGroup24、ECP384、ECP256、DHGroup14 (DHGroup2048)、DHGroup2、DHGroup1、无DHGroup24, ECP384, ECP256, DHGroup14 (DHGroup2048), DHGroup2, DHGroup1, None
IPsec 加密IPsec Encryption GCMAES256、GCMAES192、GCMAES128、AES256、AES192、AES128、DES3、DES、无GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None
IPsec 完整性IPsec Integrity GCMAES256、GCMAES192、GCMAES128、SHA256、SHA1、MD5GCMAES256, GCMAES192, GCMAES128, SHA256, SHA1, MD5
PFS 组PFS Group PFS24、ECP384、ECP256、PFS2048、PFS2、PFS1、无PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None
QM SA 生存期QM SA Lifetime 秒(整数;至少为 300 秒/默认为 27000 秒)Seconds (integer; min. 300/default 27000 seconds)
KB(整数;至少为 1024 KB/默认为 102400000 KB)KBytes (integer; min. 1024/default 102400000 KBytes)
流量选择器Traffic Selector UsePolicyBasedTrafficSelectors ($True/$False; default $False)UsePolicyBasedTrafficSelectors ($True/$False; default $False)

重要

  1. 在 IKE 和 IPsec PFS 中,DHGroup2048 和 PFS2048 与 Diffie-Hellman 组 14 相同。DHGroup2048 & PFS2048 are the same as Diffie-Hellman Group 14 in IKE and IPsec PFS. 如需完整的映射,请参阅 Diffie-Hellman 组See Diffie-Hellman Groups for the complete mappings.
  2. 对于 GCMAES 算法,必须为 IPsec 加密和完整性指定相同的 GCMAES 算法和密钥长度。For GCMAES algorithms, you must specify the same GCMAES algorithm and key length for both IPsec Encryption and Integrity.
  3. 在 Azure VPN 网关上,IKEv2 主模式 SA 生存期固定为 28,800 秒。IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways.
  4. QM SA 生存期是可选参数。QM SA Lifetimes are optional parameters. 如果未指定,则使用默认值 27,000 秒(7.5 小时)和 102400000 KB (102GB)。If none was specified, default values of 27,000 seconds (7.5 hrs) and 102400000 KBytes (102GB) are used.
  5. UsePolicyBasedTrafficSelector 是连接的可选参数。UsePolicyBasedTrafficSelector is an option parameter on the connection. 请参阅下一针对“UsePolicyBasedTrafficSelectors”的常见问题解答项See the next FAQ item for "UsePolicyBasedTrafficSelectors"

Azure VPN 网关策略与本地 VPN 设备配置是否需完全匹配?Does everything need to match between the Azure VPN gateway policy and my on-premises VPN device configurations?

本地 VPN 设备配置必须匹配,或者必须包含可在 Azure IPsec/IKE 策略中指定的以下算法和参数:Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy:

  • IKE 加密算法IKE encryption algorithm
  • IKE 完整性算法IKE integrity algorithm
  • DH 组DH Group
  • IPsec 加密算法IPsec encryption algorithm
  • IPsec 完整性算法IPsec integrity algorithm
  • PFS 组PFS Group
  • 流量选择器 (*)Traffic Selector (*)

SA 生存期是本地规范,不需匹配。The SA lifetimes are local specifications only, do not need to match.

如果启用 UsePolicyBasedTrafficSelectors,则需确保对于本地网络(本地网关)前缀与 Azure 虚拟网络前缀的所有组合,VPN 设备都定义了与之匹配的流量选择器(而不是任意到任意)。If you enable UsePolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. 例如,如果本地网络前缀为 10.1.0.0/16 和 10.2.0.0/16,虚拟网络前缀为 192.168.0.0/16 和 172.16.0.0/16,则需指定以下流量选择器:For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:

  • 10.1.0.0/16 <====> 192.168.0.0/1610.1.0.0/16 <====> 192.168.0.0/16
  • 10.1.0.0/16 <====> 172.16.0.0/1610.1.0.0/16 <====> 172.16.0.0/16
  • 10.2.0.0/16 <====> 192.168.0.0/1610.2.0.0/16 <====> 192.168.0.0/16
  • 10.2.0.0/16 <====> 172.16.0.0/1610.2.0.0/16 <====> 172.16.0.0/16

有关详细信息,请参阅连接多个基于策略的本地 VPN 设备For more information, see Connect multiple on-premises policy-based VPN devices.

支持哪些 Diffie-Hellman 组?Which Diffie-Hellman Groups are supported?

下表列出了支持的 Diffie-Hellman 组,分别针对 IKE (DHGroup) 和 IPsec (PFSGroup):The table below lists the supported Diffie-Hellman Groups for IKE (DHGroup) and IPsec (PFSGroup):

Diffie-Hellman 组Diffie-Hellman Group DHGroupDHGroup PFSGroupPFSGroup 密钥长度Key length
11 DHGroup1DHGroup1 PFS1PFS1 768 位 MODP768-bit MODP
22 DHGroup2DHGroup2 PFS2PFS2 1024 位 MODP1024-bit MODP
1414 DHGroup14DHGroup14
DHGroup2048DHGroup2048
PFS2048PFS2048 2048 位 MODP2048-bit MODP
1919 ECP256ECP256 ECP256ECP256 256 位 ECP256-bit ECP
20 个20 ECP384ECP384 ECP384ECP384 384 位 ECP384-bit ECP
2424 DHGroup24DHGroup24 PFS24PFS24 2048 位 MODP2048-bit MODP

有关详细信息,请参阅 RFC3526RFC5114For more information, see RFC3526 and RFC5114.

自定义策略是否会替换 Azure VPN 网关的默认 IPsec/IKE 策略集?Does the custom policy replace the default IPsec/IKE policy sets for Azure VPN gateways?

是的。一旦在连接上指定自定义策略,Azure VPN 网关就会只使用该连接的策略,既充当 IKE 发起方,又充当 IKE 响应方。Yes, once a custom policy is specified on a connection, Azure VPN gateway will only use the policy on the connection, both as IKE initiator and IKE responder.

如果删除自定义 IPsec/IKE 策略,连接是否会变得不受保护?If I remove a custom IPsec/IKE policy, does the connection become unprotected?

否。连接仍受 IPsec/IKE 保护。No, the connection will still be protected by IPsec/IKE. 从连接中删除自定义策略以后,Azure VPN 网关会还原为默认的 IPsec/IKE 提议列表,并再次重启与本地 VPN 设备的 IKE 握手。Once you remove the custom policy from a connection, the Azure VPN gateway reverts back to the default list of IPsec/IKE proposals and restart the IKE handshake again with your on-premises VPN device.

添加或更新 IPsec/IKE 策略是否会中断 VPN 连接?Would adding or updating an IPsec/IKE policy disrupt my VPN connection?

是的。那样会导致短时中断(数秒),因为 Azure VPN 网关会断开现有连接并重启 IKE 握手,以便使用新的加密算法和参数重建 IPsec 隧道。Yes, it could cause a small disruption (a few seconds) as the Azure VPN gateway tears down the existing connection and restarts the IKE handshake to re-establish the IPsec tunnel with the new cryptographic algorithms and parameters. 请确保也使用匹配的算法和密钥强度对本地 VPN 设备进行配置,尽量减少中断。Ensure your on-premises VPN device is also configured with the matching algorithms and key strengths to minimize the disruption.

是否可以在不同的连接上使用不同的策略?Can I use different policies on different connections?

是的。Yes. 自定义策略是在单个连接的基础上应用的。Custom policy is applied on a per-connection basis. 可以在不同的连接上创建并应用不同的 IPsec/IKE 策略。You can create and apply different IPsec/IKE policies on different connections. 也可选择在连接子集上应用自定义策略。You can also choose to apply custom policies on a subset of connections. 剩余连接使用 Azure 默认 IPsec/IKE 策略集。The remaining ones use the Azure default IPsec/IKE policy sets.

是否也可在 VNet 到 VNet 连接上使用自定义策略?Can I use the custom policy on VNet-to-VNet connection as well?

是的。可以在 IPsec 跨界连接或 VNet 到 VNet 连接上应用自定义策略。Yes, you can apply custom policy on both IPsec cross-premises connections or VNet-to-VNet connections.

是否需在两个 VNet 到 VNet 连接资源上指定同一策略?Do I need to specify the same policy on both VNet-to-VNet connection resources?

是的。Yes. VNet 到 VNet 隧道包含 Azure 中的两个连接资源,一个方向一个资源。A VNet-to-VNet tunnel consists of two connection resources in Azure, one for each direction. 请确保两个连接资源的策略相同,否则无法建立 VNet 到 VNet 连接。Make sure both connection resources have the same policy, otherwise the VNet-to-VNet connection won't establish.

默认的 DPD 超时值是多少?What is the default DPD timeout value? 能否指定其他 DPD 超时值?Can I specify a different DPD timeout?

默认的 DPD 超时为 45 秒。The default DPD timeout is 45 seconds. 你可在每个 IPsec 或 VNet 到 VNet 连接上指定其他 DPD 超时值(介于 9 至 3600 秒之间)。You can specify a different DPD timeout value on each IPsec or VNet-to-VNet connection between 9 seconds to 3600 seconds.

能否在 ExpressRoute 连接上使用自定义 IPsec/IKE 策略?Does custom IPsec/IKE policy work on ExpressRoute connection?

不是。No. 只能通过 Azure VPN 网关在 S2S VPN 和 VNet 到 VNet 连接上使用 IPsec/IKE 策略。IPsec/IKE policy only works on S2S VPN and VNet-to-VNet connections via the Azure VPN gateways.

如何创建 IKEv1 或 IKEv2 协议类型的连接?How do I create connections with IKEv1 or IKEv2 protocol type?

除基本的 SKU、标准 SKU 和其他旧版 SKU 以外,可以在所有 RouteBased VPN 类型 SKU 上创建 IKEv1 连接。IKEv1 connections can be created on all RouteBased VPN type SKUs, except the Basic SKU, Standard SKU, and other legacy SKUs. 创建连接时,可以指定 IKEv1 或 IKEv2 连接协议类型。You can specify a connection protocol type of IKEv1 or IKEv2 while creating connections. 如果未指定连接协议类型,IKEv2 将用作默认选项(如果适用)。If you do not specify a connection protocol type, IKEv2 is used as default option where applicable. 有关详细信息,请参阅 PowerShell cmdlet 文档。For more information, see the PowerShell cmdlet documentation. 有关 SKU 类型和 IKEv1/IKEv2 支持,请参阅将网关连接到基于策略的 VPN 设备For SKU types and IKEv1/IKEv2 support, see Connect gateways to policy-based VPN devices.

是否允许在 IKEv1 和 IKEv2 连接之间传输?Is transit between between IKEv1 and IKEv2 connections allowed?

是的。Yes. 支持在 IKEv1 连接和 IKEv2 连接之间传输。Transit between IKEv1 and IKEv2 connections is supported.

能否在 RouteBased VPN 类型的基本 SKU 上建立 IKEv1 站点到站点连接?Can I have IKEv1 site-to-site connections on Basic SKUs of RouteBased VPN type?

不是。No. 基本 SKU 不支持此功能。The Basic SKU does not support this.

能否在创建连接(从 IKEv1 到 IKEv2 的连接,或者反方向的连接)后更改连接协议类型?Can I change the connection protocol type after the connection is created (IKEv1 to IKEv2 and vice versa)?

不是。No. 创建连接后,不能更改 IKEv1/IKEv2 协议。Once the connection is created, IKEv1/IKEv2 protocols cannot be changed. 必须删除并重新创建使用所需协议类型的新连接。You must delete and recreate a new connection with the desired protocol type.

在哪里可以找到有关 IPsec 的详细配置信息?Where can I find more configuration information for IPsec?

请参阅为 S2S 或 VNet 到 VNet 的连接配置 IPsec/IKE 策略See Configure IPsec/IKE policy for S2S or VNet-to-VNet connections

后续步骤Next steps

若要了解在连接上配置自定义 IPsec/IKE 策略的分步说明,请参阅配置 IPsec/IKE 策略See Configure IPsec/IKE policy for step-by-step instructions on configuring custom IPsec/IKE policy on a connection.

另请参阅连接多个基于策略的 VPN 设备,了解有关 UsePolicyBasedTrafficSelectors 选项的详细信息。See also Connect multiple policy-based VPN devices to learn more about the UsePolicyBasedTrafficSelectors option.