使用 PowerShell 将 Azure VPN 网关连接到多个基于策略的本地 VPN 设备Connect Azure VPN gateways to multiple on-premises policy-based VPN devices using PowerShell

本文帮助了解如何利用 S2S VPN 连接的 IPsec/IKE 策略将基于路由的 Azure VPN 网关配置为连接到多个基于策略的本地 VPN 设备。This article helps you configure an Azure route-based VPN gateway to connect to multiple on-premises policy-based VPN devices leveraging custom IPsec/IKE policies on S2S VPN connections.

关于基于策略的 VPN 网关和基于路由的 VPN 网关About policy-based and route-based VPN gateways

基于策略与基于路由的 VPN 设备的差异体现在如何在连接上设置 IPsec 流量选择器: Policy-based vs. route-based VPN devices differ in how the IPsec traffic selectors are set on a connection:

  • 基于策略的 VPN 设备使用两个网络的前缀组合来定义如何通过 IPsec 隧道加密/解密流量。Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. 它通常构建在执行数据包筛选的防火墙设备的基础之上。It is typically built on firewall devices that perform packet filtering. IPsec 隧道加密和解密将添加到数据包筛选及处理引擎。IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.
  • 基于路由的 VPN 设备使用任意到任意(通配)流量选择器,允许路由/转发表将流量定向到不同的 IPsec 隧道。Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. 它通常构建在其中每个 IPsec 隧道建模为网络接口或 VTI(虚拟隧道接口)的路由器平台的基础之上。It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).

下图突出显示了这两种模型:The following diagrams highlight the two models:

基于策略的 VPN 示例Policy-based VPN example

基于策略

基于路由的 VPN 示例Route-based VPN example

基于路由

Azure 对基于策略的 VPN 的支持Azure support for policy-based VPN

目前,Azure 支持两种模式的 VPN 网关:基于路由的 VPN 网关和基于策略的 VPN 网关。Currently, Azure supports both modes of VPN gateways: route-based VPN gateways and policy-based VPN gateways. 两者基于不同的内部平台,因而规格也不同:They are built on different internal platforms, which result in different specifications:

类别Category 基于策略的 VPN 网关PolicyBased VPN Gateway 基于路由的 VPN 网关RouteBased VPN Gateway 基于路由的 VPN 网关RouteBased VPN Gateway
Azure 网关 SKU****Azure Gateway SKU 基本Basic 基本Basic VpnGw1、VpnGw2、VpnGw3VpnGw1, VpnGw2, VpnGw3
IKE 版本IKE version IKEv1IKEv1 IKEv2IKEv2 IKEv1 和 IKEv2IKEv1 and IKEv2
最大S2S 连接Max. S2S connections 11 1010 3030

使用自定义 IPsec/IKE 策略,现在可以将基于路由的 Azure VPN 网关配置为使用带“PolicyBasedTrafficSelectors”选项的基于前缀的流量选择器,从而连接到基于策略的本地 VPN 设备****。With the custom IPsec/IKE policy, you can now configure Azure route-based VPN gateways to use prefix-based traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN devices. 此功能允许从 Azure 虚拟网络和 VPN 网关连接到多个基于策略的本地 VPN/防火墙设备,从当前基于 Azure Policy 的 VPN 网关中删除单个连接限制。This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-premises policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-based VPN gateways.

重要

  1. 若要启用此连接,基于策略的本地 VPN 设备必须支持 IKEv2,才能连接到基于路由的 Azure VPN 网关。To enable this connectivity, your on-premises policy-based VPN devices must support IKEv2 to connect to the Azure route-based VPN gateways. 请查看 VPN 设备规格。Check your VPN device specifications.
  2. 通过基于策略的 VPN 设备采用此机制进行连接的本地网络只能连接到 Azure 虚拟网络;不能经由相同的 Azure VPN 网关传输到其他本地网络或虚拟网络****。The on-premises networks connecting through policy-based VPN devices with this mechanism can only connect to the Azure virtual network; they cannot transit to other on-premises networks or virtual networks via the same Azure VPN gateway.
  3. 配置选项是自定义 IPsec/IKE 连接策略的一部分。The configuration option is part of the custom IPsec/IKE connection policy. 如果启用基于策略的流量选择器选项,则必须指定完整的策略(IPsec/IKE 加密和完整性算法、密钥强度和 SA 生存期)。If you enable the policy-based traffic selector option, you must specify the complete policy (IPsec/IKE encryption and integrity algorithms, key strengths, and SA lifetimes).

下图显示了在选择基于策略的 VPN 时,经由 Azure VPN 网关的传输路由为何无法工作:The following diagram shows why transit routing via Azure VPN gateway doesn't work with the policy-based option:

基于策略的传输

如图所示,针对每个本地网络前缀,Azure VPN 网关都有来自虚拟网络的流量选择器,而交叉连接前缀却没有。As shown in the diagram, the Azure VPN gateway has traffic selectors from the virtual network to each of the on-premises network prefixes, but not the cross-connection prefixes. 例如,本地站点 2、站点 3 和站点 4 可以分别与 VNet1 通信,但不能经由 Azure VPN 网关相互连接。For example, on-premises site 2, site 3, and site 4 can each communicate to VNet1 respectively, but cannot connect via the Azure VPN gateway to each other. 该图显示若采用此配置,交叉连接流量选择器在 Azure VPN 网关中不可用。The diagram shows the cross-connect traffic selectors that are not available in the Azure VPN gateway under this configuration.

工作流Workflow

本文中的说明采用为 S2S 或 VNet 到 VNet 的连接配置 IPsec/IKE 策略中所述的示例,建立 S2S VPN 连接。The instructions in this article follow the same example as described in Configure IPsec/IKE policy for S2S or VNet-to-VNet connections to establish a S2S VPN connection. 下图显示了此特点:This is shown in the following diagram:

s2s-policy

启用此连接的工作流:The workflow to enable this connectivity:

  1. 为跨界连接创建虚拟网络、VPN 网关和本地网关。Create the virtual network, VPN gateway, and local network gateway for your cross-premises connection.
  2. 创建 IPsec/IKE 策略。Create an IPsec/IKE policy.
  3. 创建 S2S 或 VNet 到 VNet 连接时应用该策略,并在连接上启用基于策略的流量选择器Apply the policy when you create a S2S or VNet-to-VNet connection, and enable the policy-based traffic selectors on the connection.
  4. 如果已创建连接,则可以在现有连接上应用或更新策略。If the connection is already created, you can apply or update the policy to an existing connection.

准备阶段Before you begin

  • 确保拥有 Azure 订阅。Verify that you have an Azure subscription. 如果还没有 Azure 订阅,可以注册一个试用账户If you don't already have an Azure subscription, you can sign up for a trial account.

  • 可以在计算机本地安装并运行 Azure PowerShell cmdlet。You can install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlet 经常更新。PowerShell cmdlets are updated frequently. 如果尚未安装最新版本,说明中指定的值可能会导致出错。If you have not installed the latest version, the values specified in the instructions may fail. 若要查找计算机上安装的 Azure PowerShell 的版本,请使用 Get-Module -ListAvailable Az cmdlet。To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. 若要进行安装或更新,请参阅安装 Azure PowerShell 模块To install or update, see Install the Azure PowerShell module.

启用基于策略的流量选择器Enable policy-based traffic selectors

此部分介绍如何在连接上启用基于策略的流量选择器。This section shows you how to enable policy-based traffic selectors on a connection. 确保已通读“配置 IPsec/IKE 策略”一文的第 3 部分Make sure you have completed Part 3 of the Configure IPsec/IKE policy article. 本文中的步骤使用相同的参数。The steps in this article use the same parameters.

步骤 1 - 创建虚拟网络、VPN 网关和本地网关Step 1 - Create the virtual network, VPN gateway, and local network gateway

连接到订阅并声明变量Connect to your subscription and declare your variables

  1. 使用 Connect-AzAccount -Environment AzureChinaCloud cmdlet 登录。Sign in using the Connect-AzAccount -Environment AzureChinaCloud cmdlet.

  2. 声明变量。Declare your variables. 在本练习中,我们使用以下变量:For this exercise, we use the following variables:

    $Sub1          = "<YourSubscriptionName>"
    $RG1           = "TestPolicyRG1"
    $Location1     = "China North"
    $VNetName1     = "TestVNet1"
    $FESubName1    = "FrontEnd"
    $BESubName1    = "Backend"
    $GWSubName1    = "GatewaySubnet"
    $VNetPrefix11  = "10.11.0.0/16"
    $VNetPrefix12  = "10.12.0.0/16"
    $FESubPrefix1  = "10.11.0.0/24"
    $BESubPrefix1  = "10.12.0.0/24"
    $GWSubPrefix1  = "10.12.255.0/27"
    $DNS1          = "8.8.8.8"
    $GWName1       = "VNet1GW"
    $GW1IPName1    = "VNet1GWIP1"
    $GW1IPconf1    = "gw1ipconf1"
    $Connection16  = "VNet1toSite6"
    $LNGName6      = "Site6"
    $LNGPrefix61   = "10.61.0.0/16"
    $LNGPrefix62   = "10.62.0.0/16"
    $LNGIP6        = "131.107.72.22"
    

创建虚拟网络、VPN 网关和本地网关Create the virtual network, VPN gateway, and local network gateway

  1. 创建资源组。Create a resource group.

    New-AzResourceGroup -Name $RG1 -Location $Location1
    
  2. 使用以下示例创建具有三个子网的虚拟网络 TestVNet1 和 VPN 网关。Use the following example to create the virtual network TestVNet1 with three subnets, and the VPN gateway. 如果想替换值,务必始终将网关子网特意命名为“GatewaySubnet”。If you want to substitute values, it's important that you always name your gateway subnet specifically 'GatewaySubnet'. 如果命名为其他名称,网关创建会失败。If you name it something else, your gateway creation fails.

    $fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1
    $besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
    $gwsub1 = New-AzVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1
    
    New-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 -Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1
    
    $gw1pip1    = New-AzPublicIpAddress -Name $GW1IPName1 -ResourceGroupName $RG1 -Location $Location1 -AllocationMethod Dynamic
    $vnet1      = Get-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1
    $subnet1    = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1
    $gw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GW1IPconf1 -Subnet $subnet1 -PublicIpAddress $gw1pip1
    
    New-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 -Location $Location1 -IpConfigurations $gw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku HighPerformance
    
    New-AzLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1 -Location $Location1 -GatewayIpAddress $LNGIP6 -AddressPrefix $LNGPrefix61,$LNGPrefix62
    

步骤 2 - 创建采用 IPsec/IKE 策略的 S2S VPN 连接Step 2 - Create an S2S VPN connection with an IPsec/IKE policy

  1. 创建 IPsec/IKE 策略。Create an IPsec/IKE policy.

    重要

    需创建 IPsec/IKE 策略,才能对连接启用“UsePolicyBasedTrafficSelectors”选项。You need to create an IPsec/IKE policy in order to enable "UsePolicyBasedTrafficSelectors" option on the connection.

    下面的示例使用以下算法和参数创建 IPsec/IKE 策略:The following example creates an IPsec/IKE policy with these algorithms and parameters:

    • IKEv2:AES256、SHA384、DHGroup24IKEv2: AES256, SHA384, DHGroup24
    • IPsec:AES256、SHA256、PFS 无、SA 生存期 14400 秒和 102400000KBIPsec: AES256, SHA256, PFS None, SA Lifetime 14400 seconds & 102400000KB
    $ipsecpolicy6 = New-AzIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000
    
  2. 使用基于策略的流量选择器和 IPsec/IKE 策略创建 S2S VPN 连接,并应用在上一步创建的 IPsec/IKE 策略。Create the S2S VPN connection with policy-based traffic selectors and IPsec/IKE policy and apply the IPsec/IKE policy created in the previous step. 请注意其他参数“-UsePolicyBasedTrafficSelectors $True”可对连接启用基于策略的流量选择器。Be aware of the additional parameter "-UsePolicyBasedTrafficSelectors $True", which enables policy-based traffic selectors on the connection.

    $vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1  -ResourceGroupName $RG1
    $lng6 = Get-AzLocalNetworkGateway  -Name $LNGName6 -ResourceGroupName $RG1
    
    New-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey 'AzureA1b2C3'
    
  3. 完成这些步骤后,S2S VPN 连接将使用定义的 IPsec/IKE 策略,并对连接启用基于策略的流量选择器。After completing the steps, the S2S VPN connection will use the IPsec/IKE policy defined, and enable policy-based traffic selectors on the connection. 可重复这些步骤,从同一 Azure VPN 网关添加更多连接到其他基于策略的本地 VPN 设备。You can repeat the same steps to add more connections to additional on-premises policy-based VPN devices from the same Azure VPN gateway.

更新基于策略的流量选择器To update policy-based traffic selectors

此部分介绍如何对现有 S2S VPN 连接更新基于策略的流量选择器选项。This section shows you how to update the policy-based traffic selectors option for an existing S2S VPN connection.

  1. 获取连接资源。Get the connection resource.

    $RG1          = "TestPolicyRG1"
    $Connection16 = "VNet1toSite6"
    $connection6  = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
    
  2. 查看基于策略的流量选择器选项。View the policy-based traffic selectors option. 以下行显示连接是否使用了基于策略的流量选择器:The following line shows whether the policy-based traffic selectors are used for the connection:

    $connection6.UsePolicyBasedTrafficSelectors
    

    如果行返回“True”,则表示对连接配置了基于策略的流量选择器;否则返回“False”********。If the line returns "True", then policy-based traffic selectors are configured on the connection; otherwise it returns "False."

  3. 获取连接资源后,可以启用或禁用连接上基于策略的流量选择器。Once you obtain the connection resource, you can enable or disable the policy-based traffic selectors on a connection.

    • 启用To Enable

      下面的示例启用了基于策略的流量选择器选项,但未改变 IPsec/IKE 策略:The following example enables the policy-based traffic selectors option, but leaves the IPsec/IKE policy unchanged:

      $RG1          = "TestPolicyRG1"
      $Connection16 = "VNet1toSite6"
      $connection6  = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
      
      Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -UsePolicyBasedTrafficSelectors $True
      
    • 禁用To Disable

      下面的示例禁用了基于策略的流量选择器选项,但未改变 IPsec/IKE 策略:The following example disables the policy-based traffic selectors option, but leaves the IPsec/IKE policy unchanged:

      $RG1          = "TestPolicyRG1"
      $Connection16 = "VNet1toSite6"
      $connection6  = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
      
      Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -UsePolicyBasedTrafficSelectors $False
      

后续步骤Next steps

连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 请参阅 创建虚拟机 以获取相关步骤。See Create a Virtual Machine for steps.

有关自定义 IPsec/IKE 策略的详细信息,请参阅为 S2S VPN 或 VNet 到 VNet 的连接配置 IPsec/IKE 策略Also review Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections for more details on custom IPsec/IKE policies.