使用本机 Azure 证书身份验证配置与 VNet 的点到站点 VPN 连接:PowerShellConfigure a Point-to-Site VPN connection to a VNet using native Azure certificate authentication: PowerShell

本文介绍如何将运行 Windows、Linux 或 macOS 的单个客户端安全地连接到 Azure VNet。This article helps you securely connect individual clients running Windows, Linux, or macOS to an Azure VNet. 若要从远程位置连接到 VNet,例如从家里或会议室进行远程通信,则可使用点到站点 VPN。Point-to-site VPN connections are useful when you want to connect to your VNet from a remote location, such when you are telecommuting from home or a conference. 如果只有一些客户端需要连接到 VNet,也可使用 P2S VPN 来代替站点到站点 VPN。You can also use P2S instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. 点到站点连接不需要 VPN 设备或面向公众的 IP 地址。Point-to-site connections do not require a VPN device or a public-facing IP address. P2S 基于 SSTP(安全套接字隧道协议)或 IKEv2 创建 VPN 连接。P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2.

从计算机连接到 Azure VNet - 点到站点连接示意图

有关点到站点 VPN 的详细信息,请参阅关于点到站点 VPNFor more information about point-to-site VPN, see About point-to-site VPN. 若要使用 Azure 门户创建此配置,请参阅使用 Azure 门户配置点到站点 VPNTo create this configuration using the Azure portal, see Configure a point-to-site VPN using the Azure portal.

点到站点本机 Azure 证书身份验证连接使用在此练习中配置的以下项目:Point-to-site native Azure certificate authentication connections use the following items, which you configure in this exercise:

  • RouteBased VPN 网关。A RouteBased VPN gateway.
  • 适用于根证书的公钥(.cer 文件),已上传到 Azure。The public key (.cer file) for a root certificate, which is uploaded to Azure. 上传证书以后,该证书将被视为受信任的证书,用于身份验证。Once the certificate is uploaded, it is considered a trusted certificate and is used for authentication.
  • 从根证书生成的客户端证书。A client certificate that is generated from the root certificate. 安装在要连接到 VNet 的每个客户端计算机上的客户端证书。The client certificate installed on each client computer that will connect to the VNet. 此证书用于客户端身份验证。This certificate is used for client authentication.
  • VPN 客户端配置。VPN client configuration. 使用 VPN 客户端配置文件配置 VPN 客户端。The VPN client is configured using VPN client configuration files. 这些文件包含客户端连接到 VNet 时所需的信息。These files contain the necessary information for the client to connect to the VNet. 这些文件对操作系统自带的现有 VPN 客户端进行配置。The files configure the existing VPN client that is native to the operating system. 必须使用配置文件中的设置对进行连接的每个客户端进行配置。Each client that connects must be configured using the settings in the configuration files.


确保拥有 Azure 订阅。Verify that you have an Azure subscription. 如果还没有 Azure 订阅,可以注册一个试用帐户If you don't already have an Azure subscription, you can sign up for a trial account.

Azure PowerShellAzure PowerShell

可以在计算机本地安装并运行 Azure PowerShell cmdlet。You can install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlet 经常更新。PowerShell cmdlets are updated frequently. 如果尚未安装最新版本,说明中指定的值可能会导致出错。If you have not installed the latest version, the values specified in the instructions may fail. 若要查找计算机上安装的 Azure PowerShell 的版本,请使用 Get-Module -ListAvailable Az cmdlet。To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. 若要进行安装或更新,请参阅安装 Azure PowerShell 模块To install or update, see Install the Azure PowerShell module.

1.登录1. Sign in

使用提升的权限打开 PowerShell 控制台。Open your PowerShell console with elevated privileges.

可以在本地运行 Azure PowerShell,请连接到 Azure 帐户。You can run Azure PowerShell locally, connect to your Azure account. Connect-AzureRmAccount cmdlet 会提示输入凭据 。The Connect-AzAccount cmdlet prompts you for credentials. 进行身份验证后,它会下载帐户设置,以便 Azure PowerShell 可以使用这些设置。After authenticating, it downloads your account settings so that they are available to Azure PowerShell.

Connect-AzAccount -Environment AzureChinaCloud

如果有多个订阅,请获取 Azure 订阅的列表。If you have more than one subscription, get a list of your Azure subscriptions.


指定要使用的订阅。Specify the subscription that you want to use.

Select-AzSubscription -SubscriptionName "Name of subscription"

2.声明变量2. Declare variables

我们在本文中使用变量,以便你可以轻松地更改值以应用于自己的环境,而无需更改示例本身。We use variables for this article so that you can easily change the values to apply to your own environment without having to change the examples themselves. 声明要使用的变量。Declare the variables that you want to use. 可以使用以下示例,根据需要将值替换为自己的值。You can use the following sample, substituting the values for your own when necessary. 如果在练习期间的任何时候关闭了 PowerShell 会话,只需再次复制和粘贴这些值,以重新声明变量。If you close your PowerShell session at any point during the exercise, just copy and paste the values again to re-declare the variables.

$VNetName  = "VNet1"
$FESubName = "FrontEnd"
$GWSubName = "GatewaySubnet"
$VNetPrefix = ""
$FESubPrefix = ""
$GWSubPrefix = ""
$VPNClientAddressPool = ""
$RG = "TestRG1"
$Location = "ChinaNorth"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWpip"
$GWIPconfName = "gwipconf"
$DNS = ""

3.配置 VNet3. Configure a VNet

  1. 创建资源组。Create a resource group.

    New-AzResourceGroup -Name $RG -Location $Location
  2. 为虚拟网络创建子网配置,并将其命名为 FrontEnd 和 GatewaySubnet 。Create the subnet configurations for the virtual network, naming them FrontEnd and GatewaySubnet. 这些前缀必须是已声明的 VNet 地址空间的一部分。These prefixes must be part of the VNet address space that you declared.

    $fesub = New-AzVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
    $gwsub = New-AzVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix
  3. 创建虚拟网络。Create the virtual network.

    在本示例中,-DnsServer 服务器参数是可选的。In this example, the -DnsServer server parameter is optional. 指定一个值不会创建新的 DNS 服务器。Specifying a value does not create a new DNS server. 指定的 DNS 服务器 IP 地址应该是可以解析从 VNet 所连接到的资源名称的 DNS 服务器。The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to from your VNet. 此示例使用了专用 IP 地址,但这可能不是你 DNS 服务器的 IP 地址。This example uses a private IP address, but it is likely that this is not the IP address of your DNS server. 请务必使用自己的值。Be sure to use your own values. 你指定的值将由部署到 VNet 的资源使用,而不是由 P2S 连接或 VPN 客户端使用。The value you specify is used by the resources that you deploy to the VNet, not by the P2S connection or the VPN client.

        New-AzVirtualNetwork `
       -ResourceGroupName $RG `
       -Location $Location `
       -Name $VNetName `
       -AddressPrefix $VNetPrefix `
       -Subnet $fesub, $gwsub `
       -DnsServer $DNS
  4. 指定所创建的虚拟网络的变量。Specify the variables for the virtual network you created.

    $vnet = Get-AzVirtualNetwork -Name $VNetName -ResourceGroupName $RG
    $subnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
  5. VPN 网关必须具有公共 IP 地址。A VPN gateway must have a Public IP address. 请先请求 IP 地址资源,并在创建虚拟网关时参阅该资源。You first request the IP address resource, and then refer to it when creating your virtual network gateway. 创建 VPN 网关时,IP 地址是动态分配给资源的。The IP address is dynamically assigned to the resource when the VPN gateway is created. VPN 网关当前仅支持动态 公共 IP 地址分配。VPN Gateway currently only supports Dynamic Public IP address allocation. 不能请求静态公共 IP 地址分配。You cannot request a Static Public IP address assignment. 但这并不意味着 IP 地址在分配到 VPN 网关后会更改。However, it doesn't mean that the IP address changes after it has been assigned to your VPN gateway. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    请求动态分配的公共 IP 地址。Request a dynamically assigned public IP address.

    $pip = New-AzPublicIpAddress -Name $GWIPName -ResourceGroupName $RG -Location $Location -AllocationMethod Dynamic
    $ipconf = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip

4.创建 VPN 网关4. Create the VPN gateway

在此步骤中,将为 VNet 配置和创建虚拟网络网关。In this step, you configure and create the virtual network gateway for your VNet.

  • -GatewayType 必须是 Vpn,-VpnType 必须是 RouteBasedThe -GatewayType must be Vpn and the -VpnType must be RouteBased.
  • -VpnClientProtocol 用来指定要启用的隧道的类型。The -VpnClientProtocol is used to specify the types of tunnels that you would like to enable. 隧道选项为 OpenVPN、SSTP 和 IKEv2 。The tunnel options are OpenVPN, SSTP, and IKEv2. 可以选择启用其中之一或任何受支持的组合。You can choose to enable one of them or any supported combination. 如果要启用多个类型,请以逗号分隔的形式指定名称。If you want to enable multiple types, then specify the names separated by a comma. 不能同时启用 OpenVPN 和 SSTP。OpenVPN and SSTP cannot be enabled together. Android 和 Linux 上的 strongSwan 客户端以及 iOS 和 OSX 上的本机 IKEv2 VPN 客户端仅会使用 IKEv2 隧道进行连接。The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only the IKEv2 tunnel to connect. Windows 客户端会首先尝试 IKEv2,如果不能连接,则会回退到 SSTP。Windows clients try IKEv2 first and if that doesn’t connect, they fall back to SSTP. 可以使用 OpenVPN 客户端连接到 OpenVPN 隧道类型。You can use the OpenVPN client to connect to OpenVPN tunnel type.
  • 虚拟网关“基本”SKU 不支持 IKEv2、OpenVPN 或 RADIUS 身份验证。The virtual network gateway 'Basic' SKU does not support IKEv2, OpenVPN or RADIUS authentication. 如果计划让 Mac 客户端连接到虚拟网络,请不要使用基本 SKU。If you are planning on having Mac clients connect to your virtual network, do not use the Basic SKU.
  • VPN 网关可能需要长达 45 分钟的时间才能完成,具体取决于所选网关 SKUA VPN gateway can take up to 45 minutes to complete, depending on the gateway sku you select. 本示例使用 IKEv2。This example uses IKEv2.
  1. 为 VNet 配置和创建虚拟网络网关。Configure and create the virtual network gateway for your VNet. 创建网关大约需要 45 分钟。It takes approximately 45 minutes for the gateway to create.

    New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG `
    -Location $Location -IpConfigurations $ipconf -GatewayType Vpn `
    -VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"
  2. 创建网关后,可以使用以下示例进行查看。Once your gateway is created, you can view it using the following example. 如果在创建网关时关闭了 PowerShell 或 PowerShell 超时,则可以再次声明变量If you closed PowerShell or it timed out while your gateway was being created, you can declare your variables again.

    Get-AzVirtualNetworkGateway -Name $GWName -ResourceGroup $RG

5.添加 VPN 客户端地址池5. Add the VPN client address pool

创建完 VPN 网关后即可添加 VPN 客户端地址池。After the VPN gateway finishes creating, you can add the VPN client address pool. VPN 客户端地址池是 VPN 客户端在连接时要从中接收 IP 地址的范围。The VPN client address pool is the range from which the VPN clients receive an IP address when connecting. 使用专用 IP 地址范围时,该范围不得与要通过其进行连接的本地位置重叠,也不得与要连接到其中的 VNet 重叠。Use a private IP address range that does not overlap with the on-premises location that you connect from, or with the VNet that you want to connect to.

在此示例中,VPN 客户端地址池在之前的步骤中声明为变量In this example, the VPN client address pool is declared as a variable in an earlier step.

$Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool

6.生成证书6. Generate certificates

Azure 使用证书对点到站点 VPN 的 VPN 客户端进行身份验证。Certificates are used by Azure to authenticate VPN clients for point-to-site VPNs. 请将根证书的公钥信息上传到 Azure,You upload the public key information of the root certificate to Azure. 然后即可将该公钥视为“可信”公钥。The public key is then considered 'trusted'. 必须根据可信根证书生成客户端证书,并将其安装在每个客户端计算机的 Certificates-Current User/个人证书存储中。Client certificates must be generated from the trusted root certificate, and then installed on each client computer in the Certificates-Current User/Personal certificate store. 当客户端启动到 VNet 的连接时,使用证书进行身份验证。The certificate is used to authenticate the client when it initiates a connection to the VNet.

如果使用自签名证书,这些证书必须使用特定的参数创建。If you use self-signed certificates, they must be created using specific parameters. 可以按照 PowerShell 和 Windows 10MakeCert(如果没有 Windows 10)的说明,创建自签名证书。You can create a self-signed certificate using the instructions for PowerShell and Windows 10, or, if you don't have Windows 10, you can use MakeCert. 生成自签名根证书和客户端证书时,必须按说明中的步骤操作,这一点很重要。It's important that you follow the steps in the instructions when generating self-signed root certificates and client certificates. 否则,生成的证书将不兼容 P2S 连接,并且会出现连接错误。Otherwise, the certificates you generate will not be compatible with P2S connections and you receive a connection error.

根证书Root certificate

  1. 获取根证书的 .cer 文件。Obtain the .cer file for the root certificate. 你可以使用通过企业解决方案生成的根证书(推荐),或者生成自签名证书。You can use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate. 创建根证书后,将公共证书数据(不是私钥)作为 Base64 编码的 X.509 .cer 文件导出。After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. 稍后,请将此文件上传到 Azure。You upload this file later to Azure.

    • 企业证书: 如果使用的是企业级解决方案,可以使用现有的证书链。Enterprise certificate: If you're using an enterprise solution, you can use your existing certificate chain. 获取要使用的根证书的 .cer 文件。Acquire the .cer file for the root certificate that you want to use.

    • 自签名根证书: 如果使用的不是企业证书解决方案,请创建自签名根证书。Self-signed root certificate: If you aren't using an enterprise certificate solution, create a self-signed root certificate. 否则,创建的证书将不兼容 P2S 连接,客户端在尝试连接时会收到连接错误。Otherwise, the certificates you create won't be compatible with your P2S connections and clients will receive a connection error when they try to connect. 可以使用 Azure PowerShell、MakeCert 或 OpenSSL。You can use Azure PowerShell, MakeCert, or OpenSSL. 以下文章中的步骤介绍了如何生成兼容的自签名根证书:The steps in the following articles describe how to generate a compatible self-signed root certificate:

      • Windows 10 PowerShell 指令:这些指令需要 Windows 10 和 PowerShell 才能生成证书。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 从根证书生成的客户端证书可以安装在任何受支持的 P2S 客户端上。Client certificates that are generated from the root certificate can be installed on any supported P2S client.
      • MakeCert 指令:使用 MakeCert 的前提是,无法接触用于生成证书的 Windows 10 计算机。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to generate certificates. 虽然 MakeCert 已弃用,但仍可使用它来生成证书。Although MakeCert is deprecated, you can still use it to generate certificates. 从根证书生成的客户端证书可以安装在任何受支持的 P2S 客户端上。Client certificates that you generate from the root certificate can be installed on any supported P2S client.
      • Linux 说明Linux instructions.
  2. 创建根证书后,将公共证书数据(不是私钥)作为 Base64 编码的 X.509 .cer 文件导出After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file.

客户端证书Client certificate

  1. 在使用点到站点连接连接到 VNet 的每台客户端计算机上,必须安装客户端证书。Each client computer that you connect to a VNet with a Point-to-Site connection must have a client certificate installed. 请从根证书生成它,然后将它安装在每个客户端计算机上。You generate it from the root certificate and install it on each client computer. 如果未安装有效的客户端证书,则当客户端尝试连接到 VNet 时,身份验证会失败。If you don't install a valid client certificate, authentication will fail when the client tries to connect to the VNet.

    可以为每个客户端生成唯一证书,也可以对多个客户端使用同一证书。You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. 生成唯一客户端证书的优势是能够吊销单个证书。The advantage to generating unique client certificates is the ability to revoke a single certificate. 否则,如果多个客户端使用相同的客户端证书进行身份验证而你将其撤销,则需为所有使用该证书的客户端生成并安装新证书。Otherwise, if multiple clients use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for every client that uses that certificate.

    可以通过以下方法生成客户端证书:You can generate client certificates by using the following methods:

    • 企业证书:Enterprise certificate:

      • 如果使用的是企业证书解决方案,请使用通用名称值格式“name@yourdomain.com” 生成客户端证书,If you're using an enterprise certificate solution, generate a client certificate with the common name value format name@yourdomain.com. 而不要使用“域名\用户名”格式。 Use this format instead of the domain name\username format.

      • 请确保客户端证书基于“用户”证书模板,该模板将“客户端身份验证”列为用户列表中的第一项。 Make sure the client certificate is based on a user certificate template that has Client Authentication listed as the first item in the user list. 检查证书的方式是:双击证书,然后在“详细信息”选项卡中查看“增强型密钥用法” 。Check the certificate by double-clicking it and viewing Enhanced Key Usage in the Details tab.

    • 自签名根证书: 按照下述某篇 P2S 证书文章中的步骤操作,使创建的客户端证书兼容 P2S 连接。Self-signed root certificate: Follow the steps in one of the following P2S certificate articles so that the client certificates you create will be compatible with your P2S connections.

      从自签名根证书生成客户端证书时,该证书会自动安装在用于生成该证书的计算机上。When you generate a client certificate from a self-signed root certificate, it's automatically installed on the computer that you used to generate it. 如果想要在另一台客户端计算机上安装客户端证书,请以 .pfx 文件格式导出该证书以及整个证书链。If you want to install a client certificate on another client computer, export it as a .pfx file, along with the entire certificate chain. 这样做会创建一个 .pfx 文件,其中包含的根证书信息是客户端进行身份验证所必需的。Doing so will create a .pfx file that contains the root certificate information required for the client to authenticate.

      这些文章中的步骤可生成兼容的客户端证书,然后你可以导出和分发该证书。The steps in these articles generate a compatible client certificate, which you can then export and distribute.

      • Windows 10 PowerShell 指令:这些指令需要 Windows 10 和 PowerShell 才能生成证书。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 生成的证书可以安装在任何受支持的 P2S 客户端上。The generated certificates can be installed on any supported P2S client.

      • MakeCert 说明:如果无权访问 Windows 10 计算机来生成证书,请使用 MakeCert。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer for generating certificates. 虽然 MakeCert 已弃用,但仍可使用它来生成证书。Although MakeCert is deprecated, you can still use it to generate certificates. 可以将生成的证书安装在任何受支持的 P2S 客户端上。You can install the generated certificates on any supported P2S client.

      • Linux 说明Linux instructions.

  2. 生成客户端证书后,将其导出After you create client certificate, export it. 客户端证书将分发到将要连接的客户端计算机。The client certificate will be distributed to the client computers that will connect.

7.上传根证书的公钥信息7. Upload the root certificate public key information

验证 VPN 网关是否已创建完毕。Verify that your VPN gateway has finished creating. 创建完以后,即可为委托给 Azure 的根证书上传 .cer 文件(其中包含公钥信息)。Once it has completed, you can upload the .cer file (which contains the public key information) for a trusted root certificate to Azure. 上传 .cer 文件后,Azure 可以使用该文件对已安装客户端证书(根据可信根证书生成)的客户端进行身份验证。Once a.cer file is uploaded, Azure can use it to authenticate clients that have installed a client certificate generated from the trusted root certificate. 可在以后根据需要上传更多的可信根证书文件(最多 20 个)。You can upload additional trusted root certificate files - up to a total of 20 - later, if needed.


可以在计算机上本地使用 PowerShell,按照 Azure 门户步骤You can use PowerShell locally on your computer, the Azure portal steps.

  1. 为证书名称声明变量,将值替换为自己的值。Declare the variable for your certificate name, replacing the value with your own.

    $P2SRootCertName = "P2SRootCert.cer"
  2. 将文件路径替换为自己的路径,然后运行 cmdlet。Replace the file path with your own, and then run the cmdlets.

    $filePathForCert = "C:\cert\P2SRootCert.cer"
    $cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
    $CertBase64 = [system.convert]::ToBase64String($cert.RawData)
  3. 将公钥信息上传到 Azure。Upload the public key information to Azure. 上传证书信息以后,Azure 就会将该证书视为受信任的根证书。Once the certificate information is uploaded, Azure considers it to be a trusted root certificate. 上传时,可以使用 Azure 门户步骤When uploading, you can use the Azure portal steps.

    Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname "VNet1GW" -ResourceGroupName "TestRG1" -PublicCertData $CertBase64

8.安装已导出的客户端证书8. Install an exported client certificate

以下步骤有助于在 Windows 客户端上进行安装。The following steps help you install on a Windows client. 有关其他客户端和详细信息,请参阅安装客户端证书For additional clients and more information, see Install a client certificate.

如果想要从另一台客户端计算机(而不是用于生成客户端证书的计算机)创建 P2S 连接,需要安装客户端证书。If you want to create a P2S connection from a client computer other than the one you used to generate the client certificates, you need to install a client certificate. 安装客户端证书时,需要使用导出客户端证书时创建的密码。When installing a client certificate, you need the password that was created when the client certificate was exported.

  1. 找到 .pfx 文件并将其复制到客户端计算机。Locate and copy the .pfx file to the client computer. 在客户端计算机上,双击 .pfx 文件以进行安装。On the client computer, double-click the .pfx file to install. 将“存储位置”保留为“当前用户”,并选择“下一步” 。Leave the Store Location as Current User, and then select Next.
  2. 在“要导入的 文件”页上,不要进行任何更改。On the File to import page, don't make any changes. 选择“下一步”。Select Next.
  3. 在“私钥保护”页上,输入证书的密码,或验证安全主体是否正确,并选择“下一步” 。On the Private key protection page, input the password for the certificate, or verify that the security principal is correct, then select Next.
  4. 在“证书存储”页上,保留默认位置,并选择“下一步” 。On the Certificate Store page, leave the default location, and then select Next.
  5. 选择“完成”。Select Finish. 在证书安装的“安全警告”上,选择“是” 。On the Security Warning for the certificate installation, select Yes. 你可以放心地对此安全警告选择“是”,因为你生成了证书。You can comfortably select 'Yes' for this security warning because you generated the certificate.
  6. 现已成功导入证书。The certificate is now successfully imported.

确保已将客户端证书与整个证书链(默认)一起作为 .pfx 导出。Make sure the client certificate was exported as a .pfx along with the entire certificate chain (which is the default). 否则,根证书信息就不会出现在客户端计算机上,客户端将无法进行正常的身份验证。Otherwise, the root certificate information isn't present on the client computer and the client won't be able to authenticate properly.

9.配置 VPN 客户端9. Configure the VPN client

在本部分中,你将为计算机配置本机客户端以连接到虚拟网络网关。In this section, you configure the native client for your computer to connect to the virtual network gateway. 例如,当你在 Windows 计算机上转到 VPN 设置时,可以添加 VPN 连接。For example, when you go to VPN settings on your Windows computer, you can add VPN connections. 点到站点连接需要特定的配置设置。A point-to-site connection requires specific configuration settings. 这些步骤可帮助你创建具有特定设置的包,你的本机 VPN 客户端需要这些特定设置才能通过点到站点连接来连接到虚拟网络。These steps help you create a package with the specific settings your native VPN client needs to be able connect to the virtual network over a point-to-site connection.

可以使用以下快速示例生成和安装客户端配置包。You can use the following quick examples to generate and install the client configuration package. 有关包内容的详细信息以及有关生成和安装 VPN 客户端配置文件的其他说明,请参阅创建和安装 VPN 客户端配置文件For more information about package contents and additional instructions about to generate and install VPN client configuration files, see Create and install VPN client configuration files.

如果需要再次声明变量,可以在此处找到它们。If you need to declare your variables again, you can find them here.

生成配置文件To generate configuration files

$profile=New-AzVpnClientConfiguration -ResourceGroupName $RG -Name $GWName -AuthenticationMethod "EapTls"


安装客户端配置包To install the client configuration package

只要版本与 Windows 客户端的体系结构匹配,就可以在每台客户端计算机上使用相同的 VPN 客户端配置包。You can use the same VPN client configuration package on each Windows client computer, as long as the version matches the architecture for the client. 有关支持的客户端操作系统列表,请参阅 VPN 网关常见问题解答中的“点到站点”部分。For the list of client operating systems that are supported, see the Point-to-Site section of the VPN Gateway FAQ.


在要从其进行连接的 Windows 客户端计算机上,必须拥有管理员权限。You must have Administrator rights on the Windows client computer from which you want to connect.

请使用以下步骤配置用于证书身份验证的本机 Windows VPN 客户端:Use the following steps to configure the native Windows VPN client for certificate authentication:

  1. 根据 Windows 计算机的体系结构选择 VPN 客户端配置文件。Select the VPN client configuration files that correspond to the architecture of the Windows computer. 对于 64 位处理器体系结构,请选择“VpnClientSetupAmd64”安装程序包。For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. 对于 32 位处理器体系结构,请选择“VpnClientSetupX86”安装程序包。For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.
  2. 双击所需的包进行安装。Double-click the package to install it. 如果显示 SmartScreen 弹出窗口,请依次单击“更多信息”、“仍要运行”。If you see a SmartScreen popup, click More info, then Run anyway.
  3. 在客户端计算机上,导航到“网络设置”,并单击“VPN”。On the client computer, navigate to Network Settings and click VPN. VPN 连接显示所连接到的虚拟网络的名称。The VPN connection shows the name of the virtual network that it connects to.
  4. 尝试连接前,请验证客户端计算机上是否已安装客户端证书。Before you attempt to connect, verify that you have installed a client certificate on the client computer. 使用本机 Azure 证书身份验证类型时,客户端证书是身份验证必需的。A client certificate is required for authentication when using the native Azure certificate authentication type.

10.连接到 Azure10. Connect to Azure

Windows VPN 客户端Windows VPN client


在要从其进行连接的 Windows 客户端计算机上,你必须拥有管理员权限。You must have Administrator rights on the Windows client computer from which you are connecting.

  1. 若要连接到 VNet,请在客户端计算机上导航到 VPN 设置,找到创建的 VPN 连接。To connect to your VNet, on the client computer, navigate to VPN settings and locate the VPN connection that you created. 其名称与虚拟网络的名称相同。It's named the same name as your virtual network. 选择“连接” 。Select Connect. 可能会出现与使用证书相关的弹出消息。A pop-up message may appear that refers to using the certificate. 选择“继续”,以便使用提升的权限。Select Continue to use elevated privileges.

  2. 在“连接”状态页上,选择“连接”以启动连接。On the Connection status page, select Connect to start the connection. 如果看到 “选择证书” 屏幕,请确保所显示的客户端证书是要用于连接的证书。If you see a Select Certificate screen, verify that the client certificate showing is the one that you want to use to connect. 如果不是,请使用下拉箭头选择正确的证书,并选择“确定”。If it is not, use the drop-down arrow to select the correct certificate, and then select OK.

    从 Windows 计算机连接

  3. 连接已建立。Your connection is established.

    从计算机连接到 Azure VNet - 点到站点连接示意图

如果在连接时遇到问题,请检查以下项:If you have trouble connecting, check the following items:

  • 如果你已通过证书导出向导导出客户端证书,请确保已将其导出为 .pfx 文件并选中了“包括证书路径中的所有证书(如果可能)”。 If you exported a client certificate with Certificate Export Wizard, make sure that you exported it as a .pfx file and selected Include all certificates in the certification path if possible. 使用此值将其导出时,也会导出根证书信息。When you export it with this value, the root certificate information is also exported. 在客户端计算机上安装证书后,还会安装 .pfx 文件中的根证书。After you install the certificate on the client computer, the root certificate in the .pfx file is also installed. 若要验证是否安装了根证书,请打开“管理用户证书” ,然后选择“受信任的根证书颁发机构\证书” 。To verify that the root certificate is installed, open Manage user certificates and select Trusted Root Certification Authorities\Certificates. 验证是否列出了根证书,必须存在根证书才能进行身份验证。Verify that the root certificate is listed, which must be present for authentication to work.

  • 如果使用的是由企业 CA 解决方案颁发的证书,并且无法进行身份验证,请在客户端证书上验证身份验证顺序。If you used a certificate that was issued by an Enterprise CA solution and you can't authenticate, verify the authentication order on the client certificate. 通过双击客户端证书,选择“详细信息”选项卡并选择“增强型密钥用法”来检查身份验证列表顺序。 Check the authentication list order by double-clicking the client certificate, selecting the Details tab, and then selecting Enhanced Key Usage. 确保此列表中的第一项是“客户端身份验证”。 Make sure Client Authentication is the first item in the list. 如果不是,请基于将“客户端身份验证”作为列表中第一项的用户模板颁发客户端证书。 If it isn't, issue a client certificate based on the user template that has Client Authentication as the first item in the list.

  • 如需更多的 P2S 故障排除信息,请参阅排查 P2S 连接问题For additional P2S troubleshooting information, see Troubleshoot P2S connections.

Mac VPN 客户端Mac VPN client

在“网络”对话框中,找到要使用的客户端配置文件,单击“连接”。 From the Network dialog box, locate the client profile that you want to use, then click Connect. 请查看安装 - Mac (OS X) 获取详细说明。Check Install - Mac (OS X) for detailed instructions. 如果连接有问题,请验证虚拟网络网关是否未使用基本 SKU。If you are having trouble connecting, verify that the virtual network gateway is not using a Basic SKU. Mac 客户端不支持基本 SKU。Basic SKU is not supported for Mac clients.

Mac 连接

验证连接To verify a connection

这些说明适用于 Windows 客户端。These instructions apply to Windows clients.

  1. 如果要验证用户的 VPN 连接是否处于活动状态,请打开提升的命令提示符,并运行 ipconfig/allTo verify that your VPN connection is active, open an elevated command prompt, and run ipconfig/all.

  2. 查看结果。View the results. 请注意,收到的 IP 地址是在配置中指定的点到站点 VPN 客户端地址池中的地址之一。Notice that the IP address you received is one of the addresses within the point-to-site VPN Client Address Pool that you specified in your configuration. 结果与以下示例类似:The results are similar to this example:

    PPP adapter VNet1:
       Connection-specific DNS Suffix .:
       Description.....................: VNet1
       Physical Address................:
       DHCP Enabled....................: No
       Autoconfiguration Enabled.......: Yes
       IPv4 Address....................:
       Subnet Mask.....................:
       Default Gateway.................:
       NetBIOS over Tcpip..............: Enabled

连接到虚拟机To connect to a virtual machine

这些说明适用于 Windows 客户端。These instructions apply to Windows clients.

可以连接到已部署到 VNet 的 VM,方法是创建到 VM 的远程桌面连接。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 若要通过初始验证来确认能否连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 这种方式是测试能否进行连接,而不是测试名称解析是否已正确配置。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位专用 IP 地址。Locate the private IP address. 查找 VM 的专用 IP 地址时,可以通过 Azure 门户或 PowerShell 查看 VM 的属性。You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.

    • Azure 门户 - 在 Azure 门户中定位虚拟机。Azure portal - Locate your virtual machine in the Azure portal. 查看 VM 的属性。View the properties for the VM. 专用 IP 地址已列出。The private IP address is listed.

    • PowerShell - 通过此示例查看资源组中的 VM 和专用 IP 地址的列表。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 在使用此示例之前不需对其进行修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      foreach($Nic in $Nics)
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
  2. 验证你是否已使用点到站点 VPN 连接连接到 VNet。Verify that you are connected to your VNet using the Point-to-Site VPN connection.

  3. 打开 远程桌面连接,方法是:在任务栏的搜索框中键入“RDP”或“远程桌面连接”,并选择“远程桌面连接”。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 也可在 PowerShell 中使用“mstsc”命令打开远程桌面连接。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在远程桌面连接中,输入 VM 的专用 IP 地址。In Remote Desktop Connection, enter the private IP address of the VM. 可以通过单击“显示选项”来调整其他设置,并进行连接。You can click "Show Options" to adjust additional settings, then connect.

排查连接问题Troubleshoot a connection

如果无法通过 VPN 连接连接到虚拟机,请查看以下项目:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.

  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you are connecting to the private IP address for the VM.

  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.

  • 若要详细了解 RDP 连接,请参阅排查远程桌面连接到 VM 的问题For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

  • 验证是否在为 VNet 指定 DNS 服务器 IP 地址之后,才生成 VPN 客户端配置包。Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the VNet. 如果更新了 DNS 服务器 IP 地址,请生成并安装新的 VPN 客户端配置包。If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.

  • 使用“ipconfig”检查分配给以太网适配器的 IPv4 地址,该适配器所在的计算机正是你要从其进行连接的计算机。Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are connecting. 如果该 IP 地址位于要连接到的 VNet 的地址范围内,或者位于 VPNClientAddressPool 的地址范围内,则称为地址空间重叠。If the IP address is within the address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. 当地址空间以这种方式重叠时,网络流量不会抵达 Azure,而是呆在本地网络中。When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.

添加或删除根证书To add or remove a root certificate

可以在 Azure 中添加和删除受信任的根证书。You can add and remove trusted root certificates from Azure. 删除根证书时,如果客户端的证书是从该根证书生成的,则客户端不能进行身份验证,因此无法进行连接。When you remove a root certificate, clients that have a certificate generated from the root certificate can't authenticate and won't be able to connect. 如果希望客户端进行身份验证和连接,则需安装新客户端证书,该证书是从委托(上传)给 Azure 的根证书生成的。If you want a client to authenticate and connect, you need to install a new client certificate generated from a root certificate that is trusted (uploaded) to Azure. 这些步骤需要将 Azure PowerShell cmdlet 安装在计算机本地。These steps require Azure PowerShell cmdlets installed locally on your computer. 还可以使用 Azure 门户来添加根证书。You can also use the Azure portal to add root certificates.

添加:To add:

最多可以将 20 个根证书 .cer 文件添加到 Azure。You can add up to 20 root certificate .cer files to Azure. 以下步骤用于添加根证书。The following steps help you add a root certificate.

  1. 准备要上传的 .cer 文件:Prepare the .cer file to upload:

    $filePathForCert = "C:\cert\P2SRootCert3.cer"
    $cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
    $CertBase64_3 = [system.convert]::ToBase64String($cert.RawData)
  2. 上传该文件。Upload the file. 一次只能上传一个文件。You can only upload one file at a time.

    Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname "VNet1GW" -ResourceGroupName "TestRG1" -PublicCertData $CertBase64_3
  3. 若要验证是否已上传证书文件,请执行以下操作:To verify that the certificate file uploaded:

    Get-AzVpnClientRootCertificate -ResourceGroupName "TestRG1" `
    -VirtualNetworkGatewayName "VNet1GW"

删除:To remove:

  1. 声明变量。Declare the variables. 修改该示例中的变量,以匹配要删除的证书。Modify the variables in the example to match the certificate that you want to remove.

    $GWName = "Name_of_virtual_network_gateway"
    $RG = "Name_of_resource_group"
    $P2SRootCertName2 = "ARMP2SRootCert2.cer"
    $MyP2SCertPubKeyBase64_2 = "MIIC/zCCAeugAwIBAgIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAMBgxFjAUBgNVBAMTDU15UDJTUm9vdENlcnQwHhcNMTUxMjE5MDI1MTIxWhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw1NeVAyU1Jvb3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjIXoWy8xE/GF1OSIvUaA0bxBjZ1PJfcXkMWsHPzvhWc2esOKrVQtgFgDz4ggAnOUFEkFaszjiHdnXv3mjzE2SpmAVIZPf2/yPWqkoHwkmrp6BpOvNVOpKxaGPOuK8+dql1xcL0eCkt69g4lxy0FGRFkBcSIgVTViS9wjuuS7LPo5+OXgyFkAY3pSDiMzQCkRGNFgw5WGMHRDAiruDQF1ciLNojAQCsDdLnI3pDYsvRW73HZEhmOqRRnJQe6VekvBYKLvnKaxUTKhFIYwuymHBB96nMFdRUKCZIiWRIy8Hc8+sQEsAML2EItAjQv4+fqgYiFdSWqnQCPf/7IZbotgQIDAQABo00wSzBJBgNVHQEEQjBAgBAkuVrWvFsCJAdK5pb/eoCNoRowGDEWMBQGA1UEAxMNTXlQMlNSb290Q2VydIIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAA4IBAQA223veAZEIar9N12ubNH2+HwZASNzDVNqspkPKD97TXfKHlPlIcS43TaYkTz38eVrwI6E0yDk4jAuPaKnPuPYFRj9w540SvY6PdOUwDoEqpIcAVp+b4VYwxPL6oyEQ8wnOYuoAK1hhh20lCbo8h9mMy9ofU+RP6HJ7lTqupLfXdID/XevI8tW6Dm+C/wCeV3EmIlO9KUoblD/e24zlo3YzOtbyXwTIh34T0fO/zQvUuBqZMcIPfM1cDvqcqiEFLWvWKoAnxbzckye2uk1gHO52d8AVL3mGiX8wBJkjc/pMdxrEvvCzJkltBmqxTM6XjDJALuVh16qFlqgTWCIcb7ju"
  2. 删除证书。Remove the certificate.

    Remove-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName2 -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG -PublicCertData $MyP2SCertPubKeyBase64_2
  3. 使用以下示例来验证是否已成功删除证书。Use the following example to verify that the certificate was removed successfully.

    Get-AzVpnClientRootCertificate -ResourceGroupName "TestRG1" `
    -VirtualNetworkGatewayName "VNet1GW"

撤销或恢复客户端证书To revoke or reinstate a client certificate

可以吊销客户端证书。You can revoke client certificates. 通过证书吊销列表,可以选择性地拒绝基于单个客户端证书的点到站点连接。The certificate revocation list allows you to selectively deny point-to-site connectivity based on individual client certificates. 这不同于删除受信任的根证书。This is different than removing a trusted root certificate. 如果从 Azure 中删除受信任的根证书 .cer,它会吊销由吊销的根证书生成/签名的所有客户端证书的访问权限。If you remove a trusted root certificate .cer from Azure, it revokes the access for all client certificates generated/signed by the revoked root certificate. 如果吊销客户端证书而非根证书,则可继续使用从根证书生成的其他证书进行身份验证。Revoking a client certificate, rather than the root certificate, allows the other certificates that were generated from the root certificate to continue to be used for authentication.

常见的做法是使用根证书管理团队或组织级别的访问权限,并使用吊销的客户端证书针对单个用户进行精细的访问控制。The common practice is to use the root certificate to manage access at team or organization levels, while using revoked client certificates for fine-grained access control on individual users.

若要撤消:To revoke:

  1. 检索客户端证书指纹。Retrieve the client certificate thumbprint. 有关详细信息,请参阅如何检索证书的指纹For more information, see How to retrieve the Thumbprint of a Certificate.

  2. 将信息复制到一个文本编辑器,删除所有空格,使之成为一个连续的字符串。Copy the information to a text editor and remove all spaces so that it is a continuous string. 该字符串在下一步声明为变量。This string is declared as a variable in the next step.

  3. 声明变量。Declare the variables. 确保声明在前面的步骤中检索的指纹。Make sure to declare the thumbprint you retrieved in the previous step.

    $RevokedClientCert1 = "NameofCertificate"
    $RevokedThumbprint1 = "‎51ab1edd8da4cfed77e20061c5eb6d2ef2f778c7"
    $GWName = "Name_of_virtual_network_gateway"
    $RG = "Name_of_resource_group"
  4. 将指纹添加到已吊销证书的列表。Add the thumbprint to the list of revoked certificates. 添加指纹后,会显示“成功”。You see "Succeeded" when the thumbprint has been added.

    Add-AzVpnClientRevokedCertificate -VpnClientRevokedCertificateName $RevokedClientCert1 `
    -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG `
    -Thumbprint $RevokedThumbprint1
  5. 确认指纹已添加到证书吊销列表。Verify that the thumbprint was added to the certificate revocation list.

    Get-AzVpnClientRevokedCertificate -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG
  6. 添加指纹后,不再可以使用证书来连接。After the thumbprint has been added, the certificate can no longer be used to connect. 客户端在尝试使用此证书进行连接时,会收到一条消息,指出证书不再有效。Clients that try to connect using this certificate receive a message saying that the certificate is no longer valid.

复原:To reinstate:

可以通过从吊销的客户端证书列表中删除指纹来恢复客户端证书。You can reinstate a client certificate by removing the thumbprint from the list of revoked client certificates.

  1. 声明变量。Declare the variables. 确保为需要恢复的证书声明正确的指纹。Make sure you declare the correct thumbprint for the certificate that you want to reinstate.

    $RevokedClientCert1 = "NameofCertificate"
    $RevokedThumbprint1 = "‎51ab1edd8da4cfed77e20061c5eb6d2ef2f778c7"
    $GWName = "Name_of_virtual_network_gateway"
    $RG = "Name_of_resource_group"
  2. 从证书吊销列表中删除证书指纹。Remove the certificate thumbprint from the certificate revocation list.

    Remove-AzVpnClientRevokedCertificate -VpnClientRevokedCertificateName $RevokedClientCert1 `
    -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG -Thumbprint $RevokedThumbprint1
  3. 检查指纹是否已从吊销列表中删除。Check if the thumbprint is removed from the revoked list.

    Get-AzVpnClientRevokedCertificate -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG

点到站点常见问题解答Point-to-Site FAQ

有关点到站点的其他信息,请参阅 VPN 网关点到站点常见问题解答For additional point-to-site information, see the VPN Gateway point-to-site FAQ

后续步骤Next steps

连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 有关详细信息,请参阅虚拟机For more information, see Virtual Machines. 若要详细了解网络和虚拟机,请参阅 Azure 和 Linux VM 网络概述To understand more about networking and virtual machines, see Azure and Linux VM network overview.

有关 P2S 故障排除信息,请参阅故障排除:Azure 点到站点连接问题For P2S troubleshooting information, Troubleshooting: Azure point-to-site connection problems.