使用本机 Azure 证书身份验证配置与 VNet 的点到站点 VPN 连接:Azure 门户Configure a Point-to-Site VPN connection to a VNet using native Azure certificate authentication: Azure portal

本文介绍如何将运行 Windows、Linux 或 macOS 的单个客户端安全地连接到 Azure VNet。This article helps you securely connect individual clients running Windows, Linux, or macOS to an Azure VNet. 若要从远程位置连接到 VNet,例如从家里或会议室进行远程通信,则可使用点到站点 VPN。Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location, such when you are telecommuting from home or a conference. 如果只有一些客户端需要连接到 VNet,也可使用 P2S VPN 来代替站点到站点 VPN。You can also use P2S instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. 点到站点连接不需要 VPN 设备或面向公众的 IP 地址。Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S 基于 SSTP(安全套接字隧道协议)或 IKEv2 创建 VPN 连接。P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2. 有关点到站点 VPN 的详细信息,请参阅关于点到站点 VPNFor more information about Point-to-Site VPN, see About Point-to-Site VPN.

从计算机连接到 Azure VNet - 点到站点连接示意图

有关点到站点 VPN 的详细信息,请参阅关于点到站点 VPNFor more information about point-to-site VPN, see About point-to-site VPN. 若要使用 Azure PowerShell 创建此配置,请参阅使用 Azure PowerShell 配置点到站点 VPNTo create this configuration using the Azure PowerShell, see Configure a point-to-site VPN using Azure PowerShell.

点到站点本机 Azure 证书身份验证连接使用在此练习中配置的以下项目:Point-to-site native Azure certificate authentication connections use the following items, which you configure in this exercise:

  • RouteBased VPN 网关。A RouteBased VPN gateway.
  • 适用于根证书的公钥(.cer 文件),已上传到 Azure。The public key (.cer file) for a root certificate, which is uploaded to Azure. 上传证书以后,该证书将被视为受信任的证书,用于身份验证。Once the certificate is uploaded, it is considered a trusted certificate and is used for authentication.
  • 从根证书生成的客户端证书。A client certificate that is generated from the root certificate. 安装在要连接到 VNet 的每个客户端计算机上的客户端证书。The client certificate installed on each client computer that will connect to the VNet. 此证书用于客户端身份验证。This certificate is used for client authentication.
  • VPN 客户端配置。VPN client configuration. 使用 VPN 客户端配置文件配置 VPN 客户端。The VPN client is configured using VPN client configuration files. 这些文件包含客户端连接到 VNet 时所需的信息。These files contain the necessary information for the client to connect to the VNet. 这些文件对操作系统自带的现有 VPN 客户端进行配置。The files configure the existing VPN client that is native to the operating system. 必须使用配置文件中的设置对进行连接的每个客户端进行配置。Each client that connects must be configured using the settings in the configuration files.


确保拥有 Azure 订阅。Verify that you have an Azure subscription. 如果还没有 Azure 订阅,可以注册一个试用帐户If you don't already have an Azure subscription, you can sign up for a trial account.

示例值Example values

可使用以下值创建测试环境,或参考这些值以更好地理解本文中的示例:You can use the following values to create a test environment, or refer to these values to better understand the examples in this article:

  • VNet 名称: VNet1VNet Name: VNet1
  • 地址空间: space:
    对于此示例,我们只使用一个地址空间。For this example, we use only one address space. VNet 可以有多个地址空间。You can have more than one address space for your VNet.
  • 子网名称: FrontEndSubnet name: FrontEnd
  • 子网地址范围: address range:
  • 订阅: 如果有多个订阅,请确保使用正确的订阅。Subscription: If you have more than one subscription, verify that you are using the correct one.
  • 资源组: TestRG1Resource Group: TestRG1
  • 位置: 中国北部Location: China North
  • 网关子网:
  • 虚拟网关名称:VNet1GWVirtual network gateway name: VNet1GW
  • 网关类型: VPNGateway type: VPN
  • VPN 类型: 基于路由VPN type: Route-based
  • 公共 IP 地址名称:VNet1GWpipPublic IP address name: VNet1GWpip
  • 连接类型:点到站点Connection type: Point-to-site
  • 客户端地址池: address pool:
    使用此点到站点连接连接到 VNet 的 VPN 客户端接收来自客户端地址池的 IP 地址。VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the client address pool.

1.创建虚拟网络1. Create a virtual network

开始之前,请确保拥有 Azure 订阅。Before beginning, verify that you have an Azure subscription. 如果还没有 Azure 订阅,可以注册一个试用帐户If you don't already have an Azure subscription, you can sign up for a trial account.


使用虚拟网络作为跨界体系结构的一部分时,请务必与本地网络管理员进行协调,以划分一个 IP 地址范围专供此虚拟网络使用。When using a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 连接的两端存在重复的地址范围,则会以意外方式路由流量。If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. 此外,若要将此虚拟网络连接到另一个虚拟网络,地址空间不能与另一虚拟网络重叠。Additionally, if you want to connect this virtual network to another virtual network, the address space cannot overlap with the other virtual network. 相应地规划网络配置。Plan your network configuration accordingly.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在“搜索资源、服务和文档(G+/)”中,键入“虚拟网络”。 In Search resources, service, and docs (G+/), type virtual network.

    查找“虚拟网络”资源页Locate Virtual Network resource page

  3. 从“市场”结果中选择“虚拟网络”。 Select Virtual Network from the Marketplace results.

    选择虚拟网络Select virtual network

  4. 在“虚拟网络”页上选择“创建”。 On the Virtual Network page, select Create.

    虚拟网络页virtual network page

  5. 选择“创建”后,会打开“创建虚拟网络”页。 Once you select Create, the Create virtual network page opens.

  6. 在“基本信息”选项卡上,配置“项目详细信息”和“实例详细信息”VNet 设置。 On the Basics tab, configure Project details and Instance details VNet settings.

    “基本信息”选项卡在填写字段时,如果在字段中输入的字符通过了验证,则会出现绿色的对钩标记。Basics tab When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. 某些值是自动填写的,你可以将其替换为自己的值:Some values are autofilled, which you can replace with your own values:

    • 订阅:确认列出的订阅是正确的。Subscription: Verify that the subscription listed is the correct one. 可以使用下拉列表更改订阅。You can change subscriptions by using the drop-down.
    • 资源组:选择现有资源组,或单击“新建”以创建新资源组 。Resource group: Select an existing resource group, or click Create new to create a new one. 有关资源组的详细信息,请参阅 Azure 资源管理器概述For more information about resource groups, see Azure Resource Manager overview.
    • 名称:输入虚拟网络的名称。Name: Enter the name for your virtual network.
    • 区域:选择 VNet 的位置。Region: Select the location for your VNet. 该位置确定要部署到此 VNet 的资源将位于哪里。The location determines where the resources that you deploy to this VNet will live.
  7. 在“IP 地址”选项卡上配置值。 On the IP Addresses tab, configure the values. 以下示例中显示的值用于演示目的。The values shown in the examples below are for demonstration purposes. 根据所需的设置调整这些值。Adjust these values according to the settings that you require.

    “IP 地址”选项卡IP addresses tab

    • IPv4 地址空间:默认情况下,系统会自动创建一个地址空间。IPv4 address space: By default, an address space is automatically created. 可以单击该地址空间,将其调整为反映你自己的值。You can click the address space to adjust it to reflect your own values. 还可以添加更多的地址空间。You can also add additional address spaces.
    • 子网:如果你使用默认地址空间,则会自动创建一个默认子网。Subnet: If you use the default address space, a default subnet is created automatically. 如果你更改地址空间,则需要添加一个子网。If you change the address space, you need to add a subnet. 选择“+添加子网”,打开“添加子网”窗口 。Select + Add subnet to open the Add subnet window. 配置以下设置,然后选择“添加”来添加值:Configure the following settings and then select Add to add the values:
      • 子网名称:在本例中,我们已将子网命名为“FrontEnd”。Subnet name: In this example, we named the subnet "FrontEnd".
      • 子网地址范围:此子网的地址范围。Subnet address range: The address range for this subnet.
  8. 暂时在“安全”选项卡上保留默认值:On the Security tab, at this time, leave the default values:

    • 防火墙:已禁用Firewall: Disabled
  9. 选择“审阅 + 创建”,验证虚拟网络设置。Select Review + create to validate the virtual network settings.

  10. 验证设置后,选择“创建”。After the settings have been validated, select Create.

2.创建虚拟网关2. Create a virtual network gateway

在此步骤中,为 VNet 创建虚拟网络网关。In this step, you create the virtual network gateway for your VNet. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选的网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.


基本网关 SKU 不支持 IKEv2 或 RADIUS 身份验证。The Basic gateway SKU does not support IKEv2 or RADIUS authentication. 如果计划将 Mac 客户端连接到虚拟网络,请不要使用基本 SKU。If you plan on having Mac clients connect to your virtual network, do not use the Basic SKU.

虚拟网络网关使用称作“网关子网”的特定子网。The virtual network gateway uses specific subnet called the gateway subnet. 网关子网是虚拟网络 IP 地址范围的一部分,该范围是在配置虚拟网络时指定的。The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. 网关子网包含虚拟网络网关资源和服务使用的 IP 地址。It contains the IP addresses that the virtual network gateway resources and services use.

创建网关子网时,请指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 所需的 IP 地址数目取决于要创建的 VPN 网关配置。The number of IP addresses needed depends on the VPN gateway configuration that you want to create. 有些配置需要具有比其他配置更多的 IP 地址。Some configurations require more IP addresses than others. 我们建议创建使用 /27 或 /28 的网关子网。We recommend that you create a gateway subnet that uses a /27 or /28.

如果出现错误,指出地址空间与子网重叠,或者子网不包含在虚拟网络的地址空间中,请检查 VNet 地址范围。If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. 出错的原因可能是为虚拟网络创建的地址范围中没有足够的可用 IP 地址。You may not have enough IP addresses available in the address range you created for your virtual network. 例如,如果默认子网包含整个地址范围,则不会有剩余的 IP 地址用于创建更多子网。For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. 可以调整现有地址空间中的子网以释放 IP 地址,或指定额外的地址范围并在其中创建网关子网。You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

  1. Azure 门户的“搜索资源、服务和文档(G+/)”中,键入“虚拟网络网关” 。From the Azure portal, in Search resources, services, and docs (G+/) type virtual network gateway. 在搜索结果中找到“虚拟网络网关”,并选中它。Locate Virtual network gateway in the search results and select it.


  2. 在“虚拟网络网关”页上选择“+ 添加” 。On the Virtual network gateway page, select + Add. 这会打开“创建虚拟网关”页 。This opens the Create virtual network gateway page.


  3. 在“基本信息”选项卡上,填写虚拟网关的值。 On the Basics tab, fill in the values for your virtual network gateway.



    • 订阅:从下拉列表中选择要使用的订阅。Subscription: Select the subscription you want to use from the dropdown.
    • 资源组:在此页上选择虚拟网络后,此设置将自动进行填充。Resource Group: This setting is autofilled when you select your virtual network on this page.

    实例详细信息Instance details

    • 名称:为网关命名。Name: Name your gateway. 为网关命名与为网关子网命名不同。Naming your gateway not the same as naming a gateway subnet. 它是要创建的网关对象的名称。It's the name of the gateway object you are creating.
    • 区域:选择要在其中创建此资源的区域。Region: Select the region in which you want to create this resource. 网关的区域必须与虚拟网络相同。The region for the gateway must be the same as the virtual network.
    • 网关类型:选择“VPN”。 Gateway type: Select VPN. VPN 网关使用虚拟网络网关类型“VPN” 。VPN gateways use the virtual network gateway type VPN.
    • VPN 类型:选择为你的配置指定的 VPN 类型。VPN type: Select the VPN type that is specified for your configuration. 大多数配置需要''基于路由'' VPN 类型。Most configurations require a Route-based VPN type.
    • SKU:从下拉列表中选择网关 SKU。SKU: Select the gateway SKU from the dropdown. 下拉列表中列出的 SKU 取决于选择的 VPN 类型。The SKUs listed in the dropdown depend on the VPN type you select. 有关网关 SKU 的详细信息,请参阅网关 SKUFor more information about gateway SKUs, see Gateway SKUs.
    • 虚拟网络:从下拉列表中,选择要将此网关添加到其中的虚拟网络。Virtual network: From the dropdown, select the virtual network to which you want to add this gateway.
    • 网关子网地址范围:仅当 VNet 没有网关子网时,此字段才会显示。Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. 如果可能,请将范围设置为 /27 或更大(/26、/25 等)。If possible, make the range /27 or larger (/26,/25 etc.). 建议不要创建任何小于 /28 的范围。We don't recommend creating a range any smaller than /28. 如果你已有网关子网,可通过导航到虚拟网络来查看 GatewaySubnet 详细信息。If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. 单击“子网”,以查看范围。Click Subnets to view the range. 如果要更改范围,可以删除并重新创建 GatewaySubnet。If you want to change the range, you can delete and recreate the GatewaySubnet.

    公共 IP 地址Public IP address

    此设置指定与 VPN 网关关联的公共 IP 地址对象。This setting specifies the public IP address object that gets associated to the VPN gateway. 创建 VPN 网关后,会将公共 IP 地址动态分配给此对象。The public IP address is dynamically assigned to this object when the VPN gateway is created. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    • 公共 IP 地址:让“新建” 保持选中状态。Public IP address: Leave Create new selected.
    • 公共 IP 地址名称:在文本框中,键入公共 IP 地址实例的名称。Public IP address name: In the text box, type a name for your public IP address instance.
    • 分配:VPN 网关仅支持“动态”。Assignment: VPN gateway supports only Dynamic.
    • 启用主动-主动模式:仅当要创建主动-主动网关配置时,才选择“启用主动-主动模式”。Enable active-active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. 否则,请让此设置保留“禁用”状态。Otherwise, leave this setting Disabled.
    • 让“配置 BGP”保留“禁用”状态,除非你的配置特别需要此设置 。Leave Configure BGP as Disabled, unless your configuration specifically requires this setting. 如果确实需要此设置,则默认 ASN 为 65515,但可以更改此值。If you do require this setting, the default ASN is 65515, although this can be changed.
  4. 选择“查看 + 创建” ,运行验证。Select Review + create to run validation.

  5. 验证通过后,选择“创建” 以部署 VPN 网关。Once validation passes, select Create to deploy the VPN gateway.

网关可能需要长达 45 分钟才能完全创建和部署。A gateway can take up to 45 minutes to fully create and deploy. 可以在网关的“概述”页上查看部署状态。You can see the deployment status on the Overview page for your gateway. 创建网关后,可以通过在门户中查看虚拟网络,来查看已分配给网关的 IP 地址。After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. 网关显示为连接的设备。The gateway appears as a connected device.

3.生成证书3. Generate certificates

Azure 使用证书对通过点到站点 VPN 连接连接到 VNet 的客户端进行身份验证。Certificates are used by Azure to authenticate clients connecting to a VNet over a Point-to-Site VPN connection. 获得根证书后,即可将公钥信息上传到 Azure。Once you obtain a root certificate, you upload the public key information to Azure. 然后,Azure 就会将该根证书视为通过 P2S 连接到虚拟网络时需要使用的“受信任的”证书。The root certificate is then considered 'trusted' by Azure for connection over P2S to the virtual network. 也可从受信任的根证书生成客户端证书,然后将其安装在每个客户端计算机上。You also generate client certificates from the trusted root certificate, and then install them on each client computer. 当客户端发起与 VNet 的连接时,需使用客户端证书对客户端进行身份验证。The client certificate is used to authenticate the client when it initiates a connection to the VNet.

生成根证书Generate a root certificate

获取根证书的 .cer 文件。Obtain the .cer file for the root certificate. 你可以使用通过企业解决方案生成的根证书(推荐),或者生成自签名证书。You can use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate. 创建根证书后,将公共证书数据(不是私钥)作为 Base64 编码的 X.509 .cer 文件导出。After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. 稍后,请将此文件上传到 Azure。You upload this file later to Azure.

  • 企业证书: 如果使用的是企业级解决方案,可以使用现有的证书链。Enterprise certificate: If you're using an enterprise solution, you can use your existing certificate chain. 获取要使用的根证书的 .cer 文件。Acquire the .cer file for the root certificate that you want to use.

  • 自签名根证书: 如果使用的不是企业证书解决方案,请创建自签名根证书。Self-signed root certificate: If you aren't using an enterprise certificate solution, create a self-signed root certificate. 否则,创建的证书将不兼容 P2S 连接,客户端在尝试连接时会收到连接错误。Otherwise, the certificates you create won't be compatible with your P2S connections and clients will receive a connection error when they try to connect. 可以使用 Azure PowerShell、MakeCert 或 OpenSSL。You can use Azure PowerShell, MakeCert, or OpenSSL. 以下文章中的步骤介绍了如何生成兼容的自签名根证书:The steps in the following articles describe how to generate a compatible self-signed root certificate:

    • Windows 10 PowerShell 指令:这些指令需要 Windows 10 和 PowerShell 才能生成证书。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 从根证书生成的客户端证书可以安装在任何受支持的 P2S 客户端上。Client certificates that are generated from the root certificate can be installed on any supported P2S client.
    • MakeCert 指令:使用 MakeCert 的前提是,无法接触用于生成证书的 Windows 10 计算机。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to generate certificates. 虽然 MakeCert 已弃用,但仍可使用它来生成证书。Although MakeCert is deprecated, you can still use it to generate certificates. 从根证书生成的客户端证书可以安装在任何受支持的 P2S 客户端上。Client certificates that you generate from the root certificate can be installed on any supported P2S client.
    • Linux 说明Linux instructions.

生成客户端证书Generate client certificates

在使用点到站点连接连接到 VNet 的每台客户端计算机上,必须安装客户端证书。Each client computer that you connect to a VNet with a Point-to-Site connection must have a client certificate installed. 请从根证书生成它,然后将它安装在每个客户端计算机上。You generate it from the root certificate and install it on each client computer. 如果未安装有效的客户端证书,则当客户端尝试连接到 VNet 时,身份验证会失败。If you don't install a valid client certificate, authentication will fail when the client tries to connect to the VNet.

可以为每个客户端生成唯一证书,也可以对多个客户端使用同一证书。You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. 生成唯一客户端证书的优势是能够吊销单个证书。The advantage to generating unique client certificates is the ability to revoke a single certificate. 否则,如果多个客户端使用相同的客户端证书进行身份验证而你将其撤销,则需为所有使用该证书的客户端生成并安装新证书。Otherwise, if multiple clients use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for every client that uses that certificate.

可以通过以下方法生成客户端证书:You can generate client certificates by using the following methods:

  • 企业证书:Enterprise certificate:

    • 如果使用的是企业证书解决方案,请使用通用名称值格式“name@yourdomain.com” 生成客户端证书,If you're using an enterprise certificate solution, generate a client certificate with the common name value format name@yourdomain.com. 而不要使用“域名\用户名”格式。 Use this format instead of the domain name\username format.

    • 请确保客户端证书基于“用户”证书模板,该模板将“客户端身份验证”列为用户列表中的第一项。 Make sure the client certificate is based on a user certificate template that has Client Authentication listed as the first item in the user list. 检查证书的方式是:双击证书,然后在“详细信息”选项卡中查看“增强型密钥用法” 。Check the certificate by double-clicking it and viewing Enhanced Key Usage in the Details tab.

  • 自签名根证书: 按照下述某篇 P2S 证书文章中的步骤操作,使创建的客户端证书兼容 P2S 连接。Self-signed root certificate: Follow the steps in one of the following P2S certificate articles so that the client certificates you create will be compatible with your P2S connections.

    从自签名根证书生成客户端证书时,该证书会自动安装在用于生成该证书的计算机上。When you generate a client certificate from a self-signed root certificate, it's automatically installed on the computer that you used to generate it. 如果想要在另一台客户端计算机上安装客户端证书,请以 .pfx 文件格式导出该证书以及整个证书链。If you want to install a client certificate on another client computer, export it as a .pfx file, along with the entire certificate chain. 这样做会创建一个 .pfx 文件,其中包含的根证书信息是客户端进行身份验证所必需的。Doing so will create a .pfx file that contains the root certificate information required for the client to authenticate.

    这些文章中的步骤可生成兼容的客户端证书,然后你可以导出和分发该证书。The steps in these articles generate a compatible client certificate, which you can then export and distribute.

    • Windows 10 PowerShell 指令:这些指令需要 Windows 10 和 PowerShell 才能生成证书。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 生成的证书可以安装在任何受支持的 P2S 客户端上。The generated certificates can be installed on any supported P2S client.

    • MakeCert 说明:如果无权访问 Windows 10 计算机来生成证书,请使用 MakeCert。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer for generating certificates. 虽然 MakeCert 已弃用,但仍可使用它来生成证书。Although MakeCert is deprecated, you can still use it to generate certificates. 可以将生成的证书安装在任何受支持的 P2S 客户端上。You can install the generated certificates on any supported P2S client.

    • Linux 说明Linux instructions.

4.添加客户端地址池4. Add the client address pool

客户端地址池是指定的专用 IP 地址的范围。The client address pool is a range of private IP addresses that you specify. 通过点到站点 VPN 进行连接的客户端动态接收此范围内的 IP 地址。The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range. 使用专用 IP 地址范围时,该范围不得与要通过其进行连接的本地位置重叠,也不得与要连接到其中的 VNet 重叠。Use a private IP address range that does not overlap with the on-premises location that you connect from, or the VNet that you want to connect to. 如果配置了多个协议,并且 SSTP 是其中一个协议,则配置的地址池将在配置的协议之间平均分配。If you configure multiple protocols and SSTP is one of the protocols, then the configured address pool is split between the configured protocols equally.

  1. 创建虚拟网关后,请导航到虚拟网关页的“设置”部分。Once the virtual network gateway has been created, navigate to the Settings section of the virtual network gateway page. 在“设置”中,选择“点到站点配置” 。In Settings, select Point-to-site configuration. 选择“立即配置”,打开配置页。Select Configure now to open the configuration page.


  2. 在“点到站点配置”页上,可以配置各种设置。On the Point-to-site configuration page, you can configure a variety of settings. 如果此页上未显示“隧道类型”或“身份验证类型”,则表示网关使用的是基本 SKU。If you don't see Tunnel type or Authentication type on this page, your gateway is using the Basic SKU. 基本 SKU 不支持 IKEv2 或 RADIUS 身份验证。The Basic SKU does not support IKEv2 or RADIUS authentication. 若要使用这些设置,需要使用另一网关 SKU 删除并重新创建网关。If you want to use these settings, you need to delete and recreate the gateway using a different gateway SKU.


  3. 在“地址池”框中,添加要使用的专用 IP 地址范围。In the Address pool box, add the private IP address range that you want to use. VPN 客户端动态接收指定范围内的 IP 地址。VPN clients dynamically receive an IP address from the range that you specify. 主动/被动配置的最小子网掩码为 29 位,主动/主动配置的最小子网掩码为 28 位。The minimum subnet mask is 29 bit for active/passive and 28 bit for active/active configuration.

  4. 转到下一部分,配置隧道类型。Go to the next section to configure tunnel type.

5.配置隧道类型5. Configure tunnel type

选择隧道类型。Select the tunnel type. 隧道选项为 OpenVPN、SSTP 和 IKEv2。The tunnel options are OpenVPN, SSTP and IKEv2.

  • Android 和 Linux 上的 strongSwan 客户端以及 iOS 和 OSX 上的本机 IKEv2 VPN 客户端仅会使用 IKEv2 隧道进行连接。The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only IKEv2 tunnel to connect.
  • Windows 客户端会首先尝试 IKEv2,如果不能连接,则会回退到 SSTP。Windows clients try IKEv2 first and if that doesn't connect, they fall back to SSTP.
  • 可以使用 OpenVPN 客户端连接到 OpenVPN 隧道类型。You can use the OpenVPN client to connect to the OpenVPN tunnel type.


6.配置身份验证类型6. Configure authentication type

对于“身份验证类型”,请选择“Azure 证书”。For Authentication type, select Azure certificate.


7.上传根证书的公共证书数据7. Upload the root certificate public certificate data

可以上传更多受信任的根证书(最多 20 个)。You can upload additional trusted root certificates up to a total of 20. 上传公共证书数据后,Azure 即可使用该数据对已安装客户端证书(根据受信任的根证书生成)的客户端进行身份验证。Once the public certificate data is uploaded, Azure can use it to authenticate clients that have installed a client certificate generated from the trusted root certificate. 将根证书的公钥信息上传到 Azure。Upload the public key information for the root certificate to Azure.

  1. 证书在“点到站点配置”页的“根证书”部分添加。Certificates are added on the Point-to-site configuration page in the Root certificate section.

  2. 请确保已导出了格式为 Base-64 编码的 X.509 (.cer) 文件的根证书。Make sure that you exported the root certificate as a Base-64 encoded X.509 (.cer) file. 需要以这种格式导出证书,以便使用文本编辑器打开该证书。You need to export the certificate in this format so you can open the certificate with text editor.

  3. 使用记事本之类的文本编辑器打开该证书。Open the certificate with a text editor, such as Notepad. 复制证书数据时,请确保将文本复制为一个无回车符或换行符的连续行。When copying the certificate data, make sure that you copy the text as one continuous line without carriage returns or line feeds. 可能需要在文本编辑器中将视图修改为“显示符号/显示所有字符”以查看回车符和换行符。You may need to modify your view in the text editor to 'Show Symbol/Show all characters' to see the carriage returns and line feeds. 仅将以下部分复制为一个连续行:Copy only the following section as one continuous line:


  4. 将证书数据粘贴到“公共证书数据”字段中。Paste the certificate data into the Public Certificate Data field. 命名 该证书,然后选择“保存”。Name the certificate, and then select Save. 最多可以添加 20 个受信任的根证书。You can add up to 20 trusted root certificates.


  5. 选择页面顶部的“保存”,保存所有配置设置。Select Save at the top of the page to save all of the configuration settings.


8.安装已导出的客户端证书8. Install an exported client certificate

如果想要从另一台客户端计算机(而不是用于生成客户端证书的计算机)创建 P2S 连接,需要安装客户端证书。If you want to create a P2S connection from a client computer other than the one you used to generate the client certificates, you need to install a client certificate. 安装客户端证书时,需要使用导出客户端证书时创建的密码。When installing a client certificate, you need the password that was created when the client certificate was exported.

确保已将客户端证书与整个证书链(默认)一起作为 .pfx 导出。Make sure the client certificate was exported as a .pfx along with the entire certificate chain (which is the default). 否则,根证书信息就不会出现在客户端计算机上,客户端将无法进行正常的身份验证。Otherwise, the root certificate information isn't present on the client computer and the client won't be able to authenticate properly.

有关安装步骤,请参阅安装客户端证书For install steps, see Install a client certificate.

9.生成和安装 VPN 客户端配置包9. Generate and install the VPN client configuration package

VPN 客户端配置文件包含的设置用来对设备进行配置以通过 P2S 连接来连接到 VNet。The VPN client configuration files contain settings to configure devices to connect to a VNet over a P2S connection. 有关生成和安装 VPN 客户端配置文件的说明,请参阅为本机 Azure 证书身份验证 P2S 配置创建和安装 VPN 客户端配置文件For instructions to generate and install VPN client configuration files, see Create and install VPN client configuration files for native Azure certificate authentication P2S configurations.

10.连接到 Azure10. Connect to Azure

从 Windows VPN 客户端进行连接To connect from a Windows VPN client


在要从其进行连接的 Windows 客户端计算机上,你必须拥有管理员权限。You must have Administrator rights on the Windows client computer from which you are connecting.

  1. 若要连接到 VNet,请在客户端计算机上导航到 VPN 设置,找到创建的 VPN 连接。To connect to your VNet, on the client computer, navigate to VPN settings and locate the VPN connection that you created. 其名称与虚拟网络的名称相同。It's named the same name as your virtual network. 选择“连接” 。Select Connect. 可能会出现与使用证书相关的弹出消息。A pop-up message may appear that refers to using the certificate. 选择“继续”,以便使用提升的权限。Select Continue to use elevated privileges.

  2. 在“连接”状态页上,选择“连接”以启动连接。On the Connection status page, select Connect to start the connection. 如果看到 “选择证书” 屏幕,请确保所显示的客户端证书是要用于连接的证书。If you see a Select Certificate screen, verify that the client certificate showing is the one that you want to use to connect. 如果不是,请使用下拉箭头选择正确的证书,并选择“确定”。If it is not, use the drop-down arrow to select the correct certificate, and then select OK.

    从 Windows 计算机连接

  3. 连接已建立。Your connection is established.

    从计算机连接到 Azure VNet - 点到站点连接示意图

如果在连接时遇到问题,请检查以下项:If you have trouble connecting, check the following items:

  • 如果你已通过证书导出向导导出客户端证书,请确保已将其导出为 .pfx 文件并选中了“包括证书路径中的所有证书(如果可能)”。 If you exported a client certificate with Certificate Export Wizard, make sure that you exported it as a .pfx file and selected Include all certificates in the certification path if possible. 使用此值将其导出时,也会导出根证书信息。When you export it with this value, the root certificate information is also exported. 在客户端计算机上安装证书后,还会安装 .pfx 文件中的根证书。After you install the certificate on the client computer, the root certificate in the .pfx file is also installed. 若要验证是否安装了根证书,请打开“管理用户证书” ,然后选择“受信任的根证书颁发机构\证书” 。To verify that the root certificate is installed, open Manage user certificates and select Trusted Root Certification Authorities\Certificates. 验证是否列出了根证书,必须存在根证书才能进行身份验证。Verify that the root certificate is listed, which must be present for authentication to work.

  • 如果使用的是由企业 CA 解决方案颁发的证书,并且无法进行身份验证,请在客户端证书上验证身份验证顺序。If you used a certificate that was issued by an Enterprise CA solution and you can't authenticate, verify the authentication order on the client certificate. 通过双击客户端证书,选择“详细信息”选项卡并选择“增强型密钥用法”来检查身份验证列表顺序。 Check the authentication list order by double-clicking the client certificate, selecting the Details tab, and then selecting Enhanced Key Usage. 确保此列表中的第一项是“客户端身份验证”。 Make sure Client Authentication is the first item in the list. 如果不是,请基于将“客户端身份验证”作为列表中第一项的用户模板颁发客户端证书。 If it isn't, issue a client certificate based on the user template that has Client Authentication as the first item in the list.

  • 如需更多的 P2S 故障排除信息,请参阅排查 P2S 连接问题For additional P2S troubleshooting information, see Troubleshoot P2S connections.

从 Mac VPN 客户端进行连接To connect from a Mac VPN client

在“网络”对话框中,找到要使用的客户端配置文件,在 VpnSettings.xml 中指定设置,然后选择“连接”。From the Network dialog box, locate the client profile that you want to use, specify the settings from the VpnSettings.xml, and then select Connect.

请查看安装 - Mac (OS X) 获取详细说明。Check Install - Mac (OS X) for detailed instructions. 如果连接有问题,请验证虚拟网络网关是否未使用基本 SKU。If you are having trouble connecting, verify that the virtual network gateway is not using a Basic SKU. Mac 客户端不支持基本 SKU。Basic SKU is not supported for Mac clients.

Mac VPN 客户端连接

验证连接To verify your connection

这些说明适用于 Windows 客户端。These instructions apply to Windows clients.

  1. 如果要验证用户的 VPN 连接是否处于活动状态,请打开提升的命令提示符,并运行 ipconfig/allTo verify that your VPN connection is active, open an elevated command prompt, and run ipconfig/all.

  2. 查看结果。View the results. 请注意,收到的 IP 地址是在配置中指定的点到站点 VPN 客户端地址池中的地址之一。Notice that the IP address you received is one of the addresses within the Point-to-Site VPN Client Address Pool that you specified in your configuration. 结果与以下示例类似:The results are similar to this example:

    PPP adapter VNet1:
       Connection-specific DNS Suffix .:
       Description.....................: VNet1
       Physical Address................:
       DHCP Enabled....................: No
       Autoconfiguration Enabled.......: Yes
       IPv4 Address....................:
       Subnet Mask.....................:
       Default Gateway.................:
       NetBIOS over Tcpip..............: Enabled

连接到虚拟机To connect to a virtual machine

这些说明适用于 Windows 客户端。These instructions apply to Windows clients.

可以连接到已部署到 VNet 的 VM,方法是创建到 VM 的远程桌面连接。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 若要通过初始验证来确认能否连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 这种方式是测试能否进行连接,而不是测试名称解析是否已正确配置。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位专用 IP 地址。Locate the private IP address. 查找 VM 的专用 IP 地址时,可以通过 Azure 门户或 PowerShell 查看 VM 的属性。You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.

    • Azure 门户 - 在 Azure 门户中定位虚拟机。Azure portal - Locate your virtual machine in the Azure portal. 查看 VM 的属性。View the properties for the VM. 专用 IP 地址已列出。The private IP address is listed.

    • PowerShell - 通过此示例查看资源组中的 VM 和专用 IP 地址的列表。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 在使用此示例之前不需对其进行修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      foreach($Nic in $Nics)
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
  2. 验证你是否已使用点到站点 VPN 连接连接到 VNet。Verify that you are connected to your VNet using the Point-to-Site VPN connection.

  3. 打开 远程桌面连接,方法是:在任务栏的搜索框中键入“RDP”或“远程桌面连接”,并选择“远程桌面连接”。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 也可在 PowerShell 中使用“mstsc”命令打开远程桌面连接。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在远程桌面连接中,输入 VM 的专用 IP 地址。In Remote Desktop Connection, enter the private IP address of the VM. 可以通过单击“显示选项”来调整其他设置,并进行连接。You can click "Show Options" to adjust additional settings, then connect.

排查连接问题Troubleshoot a connection

如果无法通过 VPN 连接连接到虚拟机,请查看以下项目:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.

  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you are connecting to the private IP address for the VM.

  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.

  • 若要详细了解 RDP 连接,请参阅排查远程桌面连接到 VM 的问题For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

  • 验证是否在为 VNet 指定 DNS 服务器 IP 地址之后,才生成 VPN 客户端配置包。Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the VNet. 如果更新了 DNS 服务器 IP 地址,请生成并安装新的 VPN 客户端配置包。If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.

  • 使用“ipconfig”检查分配给以太网适配器的 IPv4 地址,该适配器所在的计算机正是你要从其进行连接的计算机。Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are connecting. 如果该 IP 地址位于要连接到的 VNet 的地址范围内,或者位于 VPNClientAddressPool 的地址范围内,则称为地址空间重叠。If the IP address is within the address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. 当地址空间以这种方式重叠时,网络流量不会抵达 Azure,而是呆在本地网络中。When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.

添加或删除受信任的根证书To add or remove trusted root certificates

可以在 Azure 中添加和删除受信任的根证书。You can add and remove trusted root certificates from Azure. 删除根证书时,如果客户端的证书是从该根生成的,则客户端不能进行身份验证,因此无法进行连接。When you remove a root certificate, clients that have a certificate generated from that root won't be able to authenticate, and thus will not be able to connect. 如果希望客户端进行身份验证和连接,则需安装新客户端证书,该证书是从委托(上传)给 Azure 的根证书生成的。If you want a client to authenticate and connect, you need to install a new client certificate generated from a root certificate that is trusted (uploaded) to Azure.

添加受信任的根证书To add a trusted root certificate

最多可以将 20 个受信任的根证书 .cer 文件添加到 Azure。You can add up to 20 trusted root certificate .cer files to Azure. 有关说明,请参阅本文的上载受信任的根证书部分。For instructions, see the section Upload a trusted root certificate in this article.

删除受信任的根证书To remove a trusted root certificate

  1. 若要删除受信任的根证书,请导航到虚拟网关的“点到站点配置”页。To remove a trusted root certificate, navigate to the Point-to-site configuration page for your virtual network gateway.
  2. 在页面的“根证书”部分,找到要删除的证书。In the Root certificate section of the page, locate the certificate that you want to remove.
  3. 选择证书旁的省略号,并选择“删除”。Select the ellipsis next to the certificate, and then select 'Remove'.

吊销客户端证书To revoke a client certificate

可以吊销客户端证书。You can revoke client certificates. 证书吊销列表用于选择性地拒绝基于单个客户端证书的点到站点连接。The certificate revocation list allows you to selectively deny Point-to-Site connectivity based on individual client certificates. 这不同于删除受信任的根证书。This is different than removing a trusted root certificate. 如果从 Azure 中删除受信任的根证书 .cer,它会吊销由吊销的根证书生成/签名的所有客户端证书的访问权限。If you remove a trusted root certificate .cer from Azure, it revokes the access for all client certificates generated/signed by the revoked root certificate. 如果吊销客户端证书而非根证书,则可继续使用从根证书生成的其他证书进行身份验证。Revoking a client certificate, rather than the root certificate, allows the other certificates that were generated from the root certificate to continue to be used for authentication.

常见的做法是使用根证书管理团队或组织级别的访问权限,并使用吊销的客户端证书针对单个用户进行精细的访问控制。The common practice is to use the root certificate to manage access at team or organization levels, while using revoked client certificates for fine-grained access control on individual users.

吊销客户端证书Revoke a client certificate

可以通过将指纹添加到吊销列表来吊销客户端证书。You can revoke a client certificate by adding the thumbprint to the revocation list.

  1. 检索客户端证书指纹。Retrieve the client certificate thumbprint. 有关详细信息,请参阅如何检索证书的指纹For more information, see How to retrieve the Thumbprint of a Certificate.
  2. 将信息复制到一个文本编辑器,删除所有空格,使之成为一个连续的字符串。Copy the information to a text editor and remove all spaces so that it is a continuous string.
  3. 导航到虚拟网关的“点到站点配置”页。Navigate to the virtual network gateway Point-to-site-configuration page. 此页面正是用来上传受信任的根证书的页面。This is the same page that you used to upload a trusted root certificate.
  4. 在“吊销的证书”部分,输入证书的友好名称(不必是证书 CN)。In the Revoked certificates section, input a friendly name for the certificate (it doesn't have to be the certificate CN).
  5. 将指纹字符串复制并粘贴到“指纹”字段。Copy and paste the thumbprint string to the Thumbprint field.
  6. 指纹将进行验证,并会自动添加到吊销列表。The thumbprint validates and is automatically added to the revocation list. 屏幕上会显示一条消息,指出列表正在进行更新。A message appears on the screen that the list is updating.
  7. 更新完成后,不再可以使用证书来连接。After updating has completed, the certificate can no longer be used to connect. 客户端在尝试使用此证书进行连接时,会收到一条消息,指出证书不再有效。Clients that try to connect using this certificate receive a message saying that the certificate is no longer valid.

点到站点常见问题解答Point-to-Site FAQ

在我的点到站点配置中,可以有多少 VPN 客户端终结点?How many VPN client endpoints can I have in my Point-to-Site configuration?

这取决于网关 SKU。It depends on the gateway SKU. 有关支持的连接数的详细信息,请参阅网关 SKUFor more information on the number of connections supported, see Gateway SKUs.

点到站点连接可以用于哪些客户端操作系统?What client operating systems can I use with Point-to-Site?

支持以下客户端操作系统:The following client operating systems are supported:

  • Windows 7(32 位和 64 位)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2(仅 64 位)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1(32 位和 64 位)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012(仅 64 位)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2(仅 64 位)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016(仅 64 位)Windows Server 2016 (64-bit only)
  • Windows Server 2019(仅限 64 位)Windows Server 2019 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 版本 10.11 或更高版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS


从 2018 年 7 月 1 日开始,Azure VPN 网关将不再支持 TLS 1.0 和 1.1。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 网关将仅支持 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要维持支持,请参阅更新以支持 TLS1.2To maintain support, see the updates to enable support for TLS1.2.

此外,TLS 也将于 2018 年 7 月 1 日起弃用以下旧算法:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES(数据加密算法)DES (Data Encryption Algorithm)
  • 3DES(三重数据加密算法)3DES (Triple Data Encryption Algorithm)
  • MD5(消息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中启用对 TLS 1.2 的支持?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 右键单击“命令提示符” 并选择“以管理员身份运行” ,使用提升的权限打开命令提示符。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 请在命令提示符处运行以下命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
  3. 安装以下更新:Install the following updates:

  4. 重新启动计算机。Reboot the computer.

  5. 连接到 VPN。Connect to the VPN.


如果运行的是旧版本的 Windows 10 (10240),则必须设置上述注册表项。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

能否使用点到站点功能穿越代理和防火墙?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支持三种类型的点到站点 VPN 选项:Azure supports three types of Point-to-site VPN options:

  • 安全套接字隧道协议 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 专有的基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开了 443 SSL 使用的出站 TCP 端口。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN。OpenVPN. OpenVPN 是基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开了 443 SSL 使用的出站 TCP 端口。OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是一个基于标准的 IPsec VPN 解决方案,它使用出站 UDP 端口 500 和 4500 以及 IP 协议号。IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50。50. 防火墙并非始终打开这些端口,因此,IKEv2 VPN 有可能无法穿过代理和防火墙。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果重新启动进行过点到站点配置的客户端计算机,是否会自动重新连接 VPN?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

默认情况下,客户端计算机将不自动重新建立 VPN 连接。By default, the client computer will not reestablish the VPN connection automatically.

点到站点在 VPN 客户端上是否支持自动重新连接和 DDNS?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

点到站点 VPN 中当前不支持自动重新连接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

对于同一虚拟网络,站点到站点和点到站点配置能否共存?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

是的。Yes. 对于资源管理器部署模型,必须为网关使用 RouteBased VPN 类型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 对于经典部署模型,需要一个动态网关。For the classic deployment model, you need a dynamic gateway. 不支持将点到站点配置用于静态路由 VPN 网关或 PolicyBased VPN 网关。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

能否将点到站点客户端配置为同时连接到多个虚拟网络网关?Can I configure a Point-to-Site client to connect to multiple virtual network gateways at the same time?

根据所使用的 VPN 客户端软件,你可能可以连接到多个虚拟网络网关,前提是,要连接到的虚拟网络在它们或客户端要从中进行连接的网络之间不存在冲突的地址空间。Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to do not have conflicting address spaces between them or the network from with the client is connecting from. 尽管 Azure VPN 客户端支持多个 VPN 连接,但在任何给定时间,都只能建立一个连接。While the Azure VPN Client supports many VPN connections, only one connection can be Connected at any given time.

能否将点到站点客户端配置为同时连接到多个虚拟网络?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

可以。与其他 VNet 对等互连的 VNet 中部署的虚拟网络网关之间的点到站点连接可能可以访问其他对等互连 VNet。Yes, Point-to-Site connections to a Virtual Network Gateway deployed in a VNet that is peered with other VNets may have access to other peered VNets. 如果对等互连 VNet 使用 UseRemoteGateway/AllowGatewayTransit 功能,点到站点客户端将能够连接到这些对等互连 VNet。Provided the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features, the Point-to-Site client will be able to connect to those peered VNets. 有关详细信息,请参阅此文For more information please reference this article.

预计通过站点到站点连接或点到站点连接的吞吐量有多少?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很难维持 VPN 隧道的准确吞吐量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 是重重加密的 VPN 协议。IPsec and SSTP are crypto-heavy VPN protocols. 本地网络与 Internet 之间的延迟和带宽也限制了吞吐量。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 对于仅具有 IKEv2 点到站点 VPN 连接的 VPN 网关,期望可以实现的总吞吐量取决于网关 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 有关吞吐量的详细信息,请参阅网关 SKUFor more information on throughput, see Gateway SKUs.

是否可以将任何软件 VPN 客户端用于支持 SSTP 和/或 IKEv2 的点到站点配置?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

不是。No. 只能将 Windows 上的本机 VPN 客户端用于 SSTP,只能将 Mac 上的本机 VPN 客户端用于 IKEv2。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 但是,可以在所有平台上使用 OpenVPN 客户端,以便通过 OpenVPN 协议进行连接。However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. 请参阅支持的客户端操作系统的列表。Refer to the list of supported client operating systems.

Azure 是否支持使用 Windows 的 IKEv2 VPN?Does Azure support IKEv2 VPN with Windows?

在 Windows 10 和 Server 2016 上支持 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 但是,若要使用 IKEv2,必须在本地安装更新并设置注册表项值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 以前的 OS 版本不受支持,并且只能使用 SSTP 或 OpenVPN® 协议OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

为运行 IKEv2 准备 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安装更新。Install the update.

    OS 版本OS version DateDate 编号/链接Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 设置注册表项值。Set the registry key value. 在注册表中创建“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload”REG_DWORD 键或将其设置为 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

为 P2S VPN 连接配置 SSTP 和 IKEv2 时,会发生什么情况?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

在混合环境(包括 Windows 和 Mac 设备)中同时配置了 SSTP 和 IKEv2 时,Windows VPN 客户端始终将先尝试使用 IKEv2 隧道,但如果 IKEv2 连接不成功将回退到 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 将仅通过 IKEv2 进行连接。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 还支持在其他哪些平台上使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支持将 Windows、Mac 和 Linux 用于 P2S VPN。Azure supports Windows, Mac and Linux for P2S VPN.

我已部署 Azure VPN 网关。I already have an Azure VPN Gateway deployed. 是否可在该网关上启用 RADIUS 和/或 IKEv2 VPN?Can I enable RADIUS and/or IKEv2 VPN on it?

是的,可以使用 Powershell 或 Azure 门户在已部署的网关上启用这些新功能,前提是所用网关 SKU 支持 RADIUS 和/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 网关基本 SKU 不支持 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

如何删除 P2S 连接的配置?How do I remove the configuration of a P2S connection?

可以通过 Azure CLI 和 PowerShell 使用以下命令删除 P2S 配置:A P2S configuration can be removed using Azure CLI and PowerShell using the following commands:

Azure PowerShellAzure PowerShell

$gw=Get-AzVirtualNetworkGateway -name <gateway-name>`  
$gw.VPNClientConfiguration = $null`  
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`

Azure CLIAzure CLI

az network vnet-gateway update --name <gateway-name> --resource-group <resource-group name> --remove "vpnClientConfiguration"

如果在使用证书身份验证进行连接时收到指示证书不匹配的消息,我该怎么办?What should I do if I'm getting a certificate mismatch when connecting using certificate authentication?

取消选中“通过验证证书来验证服务器的标识” ,或在手动创建配置文件时 将服务器 FQDN 随证书一起添加Uncheck "Verify the server's identity by validating the certificate" or add the server FQDN along with the certificate when creating a profile manually. 为此,可以在命令提示符下运行 rasphone,并从下拉列表中选择配置文件。You can do this by running rasphone from a command prompt and picking the profile from the drop-down list.

通常不建议绕过服务器标识验证,但在使用 Azure 证书身份验证的情况下,会在 VPN 隧道协议 (IKEv2/SSTP) 和 EAP 协议中将同一证书用于服务器验证。Bypassing server identity validation is not recommended in general, but with Azure certificate authentication, the same certificate is being used for server validation in the VPN tunneling protocol (IKEv2/SSTP) and the EAP protocol. 由于服务器证书和 FQDN 已通过 VPN 隧道协议进行验证,因此在 EAP 中再次验证同一证书就是多余的。Since the server certificate and FQDN is already validated by the VPN tunneling protocol, it is redundant to validate the same again in EAP.

点到站点身份验证point-to-site auth

是否可以使用自己的内部 PKI 根 CA 来生成用于点到站点连接的证书?Can I use my own internal PKI root CA to generate certificates for Point-to-Site connectivity?

是的。Yes. 以前只可使用自签名根证书。Previously, only self-signed root certificates could be used. 仍可上传 20 个根证书。You can still upload 20 root certificates.

是否可以使用 Azure 密钥保管库中的证书?Can I use certificates from Azure Key Vault?


可以使用哪些工具来创建证书?What tools can I use to create certificates?

可以使用企业 PKI 解决方案(内部 PKI)、Azure PowerShell、MakeCert 和 OpenSSL。You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.

是否有证书设置和参数的说明?Are there instructions for certificate settings and parameters?

  • 内部 PKI/企业 PKI 解决方案: 请参阅 生成证书的步骤。Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.

  • Azure PowerShell: 请参阅 Azure PowerShell 一文了解相关步骤。Azure PowerShell: See the Azure PowerShell article for steps.

  • MakeCert: 请参阅 MakeCert 一文了解相关步骤。MakeCert: See the MakeCert article for steps.

  • OpenSSL:OpenSSL:

    • 导出证书时,请务必将根证书转换为 Base64。When exporting certificates, be sure to convert the root certificate to Base64.

    • 对于客户端证书:For the client certificate:

      • 创建私钥时,请将长度指定为 4096。When creating the private key, specify the length as 4096.
      • 创建证书时,对于 -extensions 参数,指定 usr_certWhen creating the certificate, for the -extensions parameter, specify usr_cert.

后续步骤Next steps

连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 有关详细信息,请参阅虚拟机For more information, see Virtual Machines. 若要详细了解网络和虚拟机,请参阅 Azure 和 Linux VM 网络概述To understand more about networking and virtual machines, see Azure and Linux VM network overview.

有关 P2S 故障排除信息,请参阅排查 Azure 点到站点连接问题For P2S troubleshooting information, Troubleshooting Azure point-to-site connections.