使用本机 Azure 证书身份验证配置与 VNet 的点到站点连接:PowerShellConfigure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell

本文介绍如何将运行 Windows、Linux 或 Mac OS X 的单个客户端安全地连接到 Azure VNet。This article helps you securely connect individual clients running Windows, Linux, or Mac OS X to an Azure VNet. 若要从远程位置连接到 VNet,例如从家里或会议室进行远程通信,则可使用点到站点 VPN。Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location, such when you are telecommuting from home or a conference. 如果只有一些客户端需要连接到 VNet,也可使用 P2S VPN 来代替站点到站点 VPN。You can also use P2S instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. 点到站点连接不需要 VPN 设备或面向公众的 IP 地址。Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S 基于 SSTP(安全套接字隧道协议)或 IKEv2 创建 VPN 连接。P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2. 有关点到站点 VPN 的详细信息,请参阅关于点到站点 VPNFor more information about Point-to-Site VPN, see About Point-to-Site VPN.

将计算机连接到 Azure VNet - 点到站点连接示意图

体系结构Architecture

点到站点本机 Azure 证书身份验证连接使用可在此练习中配置的以下项目:Point-to-Site native Azure certificate authentication connections use the following items, which you configure in this exercise:

  • RouteBased VPN 网关。A RouteBased VPN gateway.
  • 适用于根证书的公钥(.cer 文件),已上传到 Azure。The public key (.cer file) for a root certificate, which is uploaded to Azure. 上传证书以后,该证书将被视为受信任的证书,用于身份验证。Once the certificate is uploaded, it is considered a trusted certificate and is used for authentication.
  • 从根证书生成的客户端证书。A client certificate that is generated from the root certificate. 安装在要连接到 VNet 的每个客户端计算机上的客户端证书。The client certificate installed on each client computer that will connect to the VNet. 此证书用于客户端身份验证。This certificate is used for client authentication.
  • VPN 客户端配置。A VPN client configuration. VPN 客户端配置文件包含客户端连接到 VNet 时所需的信息。The VPN client configuration files contain the necessary information for the client to connect to the VNet. 这些文件对操作系统自带的现有 VPN 客户端进行配置。The files configure the existing VPN client that is native to the operating system. 必须使用配置文件中的设置对进行连接的每个客户端进行配置。Each client that connects must be configured using the settings in the configuration files.

准备阶段Before you begin

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

  • 确保拥有 Azure 订阅。Verify that you have an Azure subscription. 如果还没有 Azure 订阅,可以注册一个试用帐户If you don't already have an Azure subscription, you can sign up for a trial account.

本文使用 PowerShell cmdlet。This article uses PowerShell cmdlets. 可以在计算机本地安装并运行 Azure PowerShell cmdlet。You can install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlet 经常更新。PowerShell cmdlets are updated frequently. 如果未运行最新版本,在说明中指定的值可能无法使用。If you are not running the latest version, the values specified in the instructions may fail. 若要查找你在本地运行的 PowerShell 版本,请使用 Get-Module -ListAvailable Az cmdlet。To find the version of PowerShell that you are running locally, use the Get-Module -ListAvailable Az cmdlet. 若要进行安装或更新,请参阅安装 Azure PowerShell 模块To install or update, see Install the Azure PowerShell module.

示例值Example values

可使用示例值创建测试环境,或参考这些值以更好地理解本文中的示例。You can use the example values to create a test environment, or refer to these values to better understand the examples in this article. 变量在本文的第 1 部分设置。The variables are set in section 1 of the article. 可以使用这些步骤作为演练并按原样使用这些值,或者根据环境更改这些值。You can either use the steps as a walk-through and use the values without changing them, or change them to reflect your environment.

  • 名称:VNet1Name: VNet1
  • 地址空间:192.168.0.0/1610.254.0.0/16Address space: 192.168.0.0/16 and 10.254.0.0/16
    本示例使用了多个地址空间,说明此配置可与多个地址空间一起使用。This example uses more than one address space to illustrate that this configuration works with multiple address spaces. 但是,对于此配置,多个地址空间并不必要。However, multiple address spaces are not required for this configuration.
  • 子网名称:FrontEndSubnet name: FrontEnd
    • 子网地址范围:192.168.1.0/24Subnet address range: 192.168.1.0/24
  • 子网名称:BackEndSubnet name: BackEnd
    • 子网地址范围:10.254.1.0/24Subnet address range: 10.254.1.0/24
  • 子网名称:GatewaySubnetSubnet name: GatewaySubnet
    要使 VPN 网关正常工作,必须使用子网名称 GatewaySubnet。The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
    • GatewaySubnet 地址范围:192.168.200.0/24GatewaySubnet address range: 192.168.200.0/24
  • VPN 客户端地址池:172.16.201.0/24VPN client address pool: 172.16.201.0/24
    使用此点到站点连接连接到 VNet 的 VPN 客户端接收来自 VPN 客户端地址池的 IP 地址。VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the VPN client address pool.
  • 订阅: 如果有多个订阅,请确保使用正确的订阅。Subscription: If you have more than one subscription, verify that you are using the correct one.
  • 资源组:TestRGResource Group: TestRG
  • 位置:ChinaNorthLocation: ChinaNorth
  • DNS 服务器:要用于名称解析的 DNS 服务器的 IP 地址DNS Server: IP address of the DNS server that you want to use for name resolution. (可选)(optional)
  • GW 名称:Vnet1GWGW Name: Vnet1GW
  • 公共 IP 名称:VNet1GWPIPPublic IP name: VNet1GWPIP
  • VpnType:RouteBasedVpnType: RouteBased

1.登录并设置变量1. Sign in and set variables

在本部分中,将登录并声明用于此配置的值。In this section, you sign in and declare the values used for this configuration. 声明的值会在示例脚本中使用。The declared values are used in the sample scripts. 根据自己的环境更改值。Change the values to reflect your own environment. 也可以使用声明的值完成这些步骤作为练习。Or, you can use the declared values and go through the steps as an exercise.

登录Sign in

使用提升的权限打开 PowerShell 控制台。Open your PowerShell console with elevated privileges.

可以在本地运行 Azure PowerShell,请连接到 Azure 帐户。You can run Azure PowerShell locally, connect to your Azure account. Connect-AzureRmAccount cmdlet 会提示输入凭据。The Connect-AzAccount cmdlet prompts you for credentials. 进行身份验证后,它会下载帐户设置,以便 Azure PowerShell 可以使用这些设置。After authenticating, it downloads your account settings so that they are available to Azure PowerShell.

Connect-AzAccount -Environment AzureChinaCloud

如果有多个订阅,请获取 Azure 订阅的列表。If you have more than one subscription, get a list of your Azure subscriptions.

Get-AzSubscription

指定要使用的订阅。Specify the subscription that you want to use.

Select-AzSubscription -SubscriptionName "Name of subscription"

声明变量Declare variables

声明要使用的变量。Declare the variables that you want to use. 使用以下示例,根据需要将值替换为自己的值。Use the following sample, substituting the values for your own when necessary. 如果在练习期间的任何时候关闭了 PowerShell 会话,只需再次复制和粘贴这些值,以重新声明变量。If you close your PowerShell session at any point during the exercise, just copy and paste the values again to re-declare the variables.

$VNetName  = "VNet1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$RG = "TestRG"
$Location = "ChinaNorth"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"

2.配置 VNet2. Configure a VNet

  1. 创建资源组。Create a resource group.

    New-AzResourceGroup -Name $RG -Location $Location
    
  2. 为虚拟网络创建子网配置,并将其命名为 FrontEndBackEndGatewaySubnetCreate the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and GatewaySubnet. 这些前缀必须是已声明的 VNet 地址空间的一部分。These prefixes must be part of the VNet address space that you declared.

    $fesub = New-AzVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
    $besub = New-AzVirtualNetworkSubnetConfig -Name $BESubName -AddressPrefix $BESubPrefix
    $gwsub = New-AzVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix
    
  3. 创建虚拟网络。Create the virtual network.

    在本示例中,-DnsServer 服务器参数是可选的。In this example, the -DnsServer server parameter is optional. 指定一个值不会创建新的 DNS 服务器。Specifying a value does not create a new DNS server. 指定的 DNS 服务器 IP 地址应该是可以解析从 VNet 所连接到的资源名称的 DNS 服务器。The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to from your VNet. 此示例使用了专用 IP 地址,但这可能不是你 DNS 服务器的 IP 地址。This example uses a private IP address, but it is likely that this is not the IP address of your DNS server. 请务必使用自己的值。Be sure to use your own values. 你指定的值将由部署到 VNet 的资源使用,而不是由 P2S 连接或 VPN 客户端使用。The value you specify is used by the resources that you deploy to the VNet, not by the P2S connection or the VPN client.

    New-AzVirtualNetwork -Name $VNetName -ResourceGroupName $RG -Location $Location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3
    
  4. 为创建的虚拟网络指定变量。Specify the variables for the virtual network you created.

    $vnet = Get-AzVirtualNetwork -Name $VNetName -ResourceGroupName $RG
    $subnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
    
  5. VPN 网关必须具有公共 IP 地址。A VPN gateway must have a Public IP address. 请先请求 IP 地址资源,然后在创建虚拟网关时参阅该资源。You first request the IP address resource, and then refer to it when creating your virtual network gateway. 创建 VPN 网关时,IP 地址是动态分配给资源的。The IP address is dynamically assigned to the resource when the VPN gateway is created. VPN 网关当前仅支持动态公共 IP 地址分配。VPN Gateway currently only supports Dynamic Public IP address allocation. 不能请求静态公共 IP 地址分配。You cannot request a Static Public IP address assignment. 但这并不意味着 IP 地址在分配到 VPN 网关后会更改。However, it doesn't mean that the IP address changes after it has been assigned to your VPN gateway. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    请求动态分配的公共 IP 地址。Request a dynamically assigned public IP address.

    $pip = New-AzPublicIpAddress -Name $GWIPName -ResourceGroupName $RG -Location $Location -AllocationMethod Dynamic
    $ipconf = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip
    

3.创建 VPN 网关3. Create the VPN gateway

为 VNet 配置和创建虚拟网络网关。Configure and create the virtual network gateway for your VNet.

  • -GatewayType 必须是 Vpn,-VpnType 必须是 RouteBasedThe -GatewayType must be Vpn and the -VpnType must be RouteBased.
  • -VpnClientProtocol 用来指定要启用的隧道的类型。The -VpnClientProtocol is used to specify the types of tunnels that you would like to enable. 两个隧道选项是 SSTPIKEv2The two tunnel options are SSTP and IKEv2. 可以选择启用其中之一或启用两者。You can choose to enable one of them or both. 如果要启用两者,请同时指定两个名称,以逗号分隔。If you want to enable both, then specify both the names separated by a comma. Android 和 Linux 上的 strongSwan 客户端以及 iOS 和 OSX 上的本机 IKEv2 VPN 客户端仅会使用 IKEv2 隧道进行连接。The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only the IKEv2 tunnel to connect. Windows 客户端会首先尝试 IKEv2,如果不能连接,则会回退到 SSTP。Windows clients try IKEv2 first and if that doesn’t connect, they fall back to SSTP.
  • 虚拟网络网关“基本”SKU 不支持 IKEv2 或 RADIUS 身份验证。The virtual network gateway 'Basic' SKU does not support IKEv2 or RADIUS authentication. 如果计划让 Mac 客户端连接到虚拟网络,请不要使用基本 SKU。If you are planning on having Mac clients connect to your virtual network, do not use the Basic SKU.
  • VPN 网关可能需要长达 45 分钟的时间才能完成,具体取决于所选网关 SKUA VPN gateway can take up to 45 minutes to complete, depending on the gateway sku you select. 本示例使用 IKEv2。This example uses IKEv2.
New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG `
-Location $Location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"

4.添加 VPN 客户端地址池4. Add the VPN client address pool

创建完 VPN 网关后即可添加 VPN 客户端地址池。After the VPN gateway finishes creating, you can add the VPN client address pool. VPN 客户端地址池是 VPN 客户端在连接时要从中接收 IP 地址的范围。The VPN client address pool is the range from which the VPN clients receive an IP address when connecting. 使用专用 IP 地址范围时,该范围不得与要通过其进行连接的本地位置重叠,也不得与要连接到其中的 VNet 重叠。Use a private IP address range that does not overlap with the on-premises location that you connect from, or with the VNet that you want to connect to. 在此示例中,VPN 客户端地址池在步骤 1 声明为变量In this example, the VPN client address pool is declared as a variable in Step 1.

$Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool

5.生成证书5. Generate certificates

Azure 使用证书对点到站点 VPN 的 VPN 客户端进行身份验证。Certificates are used by Azure to authenticate VPN clients for Point-to-Site VPNs. 将根证书的公钥信息上传到 Azure,You upload the public key information of the root certificate to Azure. 然后即可将该公钥视为“受信任”公钥。The public key is then considered 'trusted'. 必须根据可信根证书生成客户端证书,并将其安装在每个客户端计算机的 Certificates-Current User/个人证书存储中。Client certificates must be generated from the trusted root certificate, and then installed on each client computer in the Certificates-Current User/Personal certificate store. 当客户端启动到 VNet 的连接时,使用证书进行身份验证。The certificate is used to authenticate the client when it initiates a connection to the VNet.

如果使用自签名证书,这些证书必须使用特定的参数创建。If you use self-signed certificates, they must be created using specific parameters. 可以按照 PowerShell 和 Windows 10MakeCert(如果没有 Windows 10)的说明,创建自签名证书。You can create a self-signed certificate using the instructions for PowerShell and Windows 10, or, if you don't have Windows 10, you can use MakeCert. 生成自签名根证书和客户端证书时,必须按说明中的步骤操作,这一点很重要。It's important that you follow the steps in the instructions when generating self-signed root certificates and client certificates. 否则,生成的证书将不兼容 P2S 连接,并且会出现连接错误。Otherwise, the certificates you generate will not be compatible with P2S connections and you receive a connection error.

1.获取根证书的 .cer 文件1. Obtain the .cer file for the root certificate

使用通过企业解决方案生成的根证书(推荐),或者生成自签名证书。Use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate. 创建根证书后,将公共证书数据(不是私钥)作为 Base64 编码的 X.509 .cer 文件导出。After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. 然后,将公共证书数据上传到 Azure 服务器。Then, upload the public certificate data to the Azure server.

  • 企业证书: 如果使用的是企业级解决方案,可以使用现有的证书链。Enterprise certificate: If you're using an enterprise solution, you can use your existing certificate chain. 获取要使用的根证书的 .cer 文件。Acquire the .cer file for the root certificate that you want to use.

  • 自签名根证书: 如果使用的不是企业证书解决方案,请创建自签名根证书。Self-signed root certificate: If you aren't using an enterprise certificate solution, create a self-signed root certificate. 否则,创建的证书将不兼容 P2S 连接,客户端在尝试连接时会收到连接错误。Otherwise, the certificates you create won't be compatible with your P2S connections and clients will receive a connection error when they try to connect. 可以使用 Azure PowerShell、MakeCert 或 OpenSSL。You can use Azure PowerShell, MakeCert, or OpenSSL. 以下文章中的步骤介绍了如何生成兼容的自签名根证书:The steps in the following articles describe how to generate a compatible self-signed root certificate:

    • Windows 10 PowerShell 说明:这些说明要求使用 Windows 10 和 PowerShell 来生成证书。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 从根证书生成的客户端证书可以安装在任何受支持的 P2S 客户端上。Client certificates that are generated from the root certificate can be installed on any supported P2S client.
    • MakeCert 说明:使用 MakeCert 的前提是,无法接触用于生成证书的 Windows 10 计算机。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to generate certificates. 虽然 MakeCert 已弃用,但仍可使用它来生成证书。Although MakeCert is deprecated, you can still use it to generate certificates. 从根证书生成的客户端证书可以安装在任何受支持的 P2S 客户端上。Client certificates that you generate from the root certificate can be installed on any supported P2S client.
    • Linux 说明Linux instructions

2.生成客户端证书2. Generate a client certificate

在使用点到站点连接连接到 VNet 的每台客户端计算机上,必须安装客户端证书。Each client computer that you connect to a VNet with a Point-to-Site connection must have a client certificate installed. 请从根证书生成它,然后将它安装在每个客户端计算机上。You generate it from the root certificate and install it on each client computer. 如果未安装有效的客户端证书,则当客户端尝试连接到 VNet 时,身份验证会失败。If you don't install a valid client certificate, authentication will fail when the client tries to connect to the VNet.

可以为每个客户端生成唯一证书,也可以对多个客户端使用同一证书。You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. 生成唯一客户端证书的优势是能够吊销单个证书。The advantage to generating unique client certificates is the ability to revoke a single certificate. 否则,如果多个客户端使用相同的客户端证书进行身份验证而你将其撤销,则需为所有使用该证书的客户端生成并安装新证书。Otherwise, if multiple clients use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for every client that uses that certificate.

可以通过以下方法生成客户端证书:You can generate client certificates by using the following methods:

  • 企业证书:Enterprise certificate:

    • 如果使用的是企业证书解决方案,请使用通用名称值格式 name@yourdomain.com 生成客户端证书,If you're using an enterprise certificate solution, generate a client certificate with the common name value format name@yourdomain.com. 而不要使用“域名\用户名”格式。Use this format instead of the domain name\username format.
    • 请确保客户端证书基于“用户”证书模板,该模板将“客户端身份验证”列为用户列表中的第一项。Make sure the client certificate is based on a user certificate template that has Client Authentication listed as the first item in the user list. 检查证书的方式是:双击证书,然后在“详细信息”选项卡中查看“增强型密钥用法”。Check the certificate by double-clicking it and viewing Enhanced Key Usage in the Details tab.
  • 自签名根证书: 按照下述某篇 P2S 证书文章中的步骤操作,使创建的客户端证书兼容 P2S 连接。Self-signed root certificate: Follow the steps in one of the following P2S certificate articles so that the client certificates you create will be compatible with your P2S connections. 这些文章中的步骤可生成兼容的客户端证书:The steps in these articles generate a compatible client certificate:

    • Windows 10 PowerShell 说明:这些说明要求使用 Windows 10 和 PowerShell 来生成证书。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 生成的证书可以安装在任何受支持的 P2S 客户端上。The generated certificates can be installed on any supported P2S client.
    • MakeCert 说明:如果无权访问 Windows 10 计算机来生成证书,请使用 MakeCert。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer for generating certificates. 虽然 MakeCert 已弃用,但仍可使用它来生成证书。Although MakeCert is deprecated, you can still use it to generate certificates. 可以将生成的证书安装在任何受支持的 P2S 客户端上。You can install the generated certificates on any supported P2S client.
    • Linux 说明Linux instructions

    从自签名根证书生成客户端证书时,该证书会自动安装在用于生成该证书的计算机上。When you generate a client certificate from a self-signed root certificate, it's automatically installed on the computer that you used to generate it. 如果想要在另一台客户端计算机上安装客户端证书,请以 .pfx 文件格式导出该证书以及整个证书链。If you want to install a client certificate on another client computer, export it as a .pfx file, along with the entire certificate chain. 这样做会创建一个 .pfx 文件,其中包含的根证书信息是客户端进行身份验证所必需的。Doing so will create a .pfx file that contains the root certificate information required for the client to authenticate.

导出证书To export the certificate

如需导出证书的步骤,请参阅使用 PowerShell 为点到站点连接生成和导出证书For steps to export a certificate, see Generate and export certificates for Point-to-Site using PowerShell.

6.上传根证书的公钥信息6. Upload the root certificate public key information

验证 VPN 网关是否已创建完毕。Verify that your VPN gateway has finished creating. 创建完以后,即可为委托给 Azure 的根证书上传 .cer 文件(其中包含公钥信息)。Once it has completed, you can upload the .cer file (which contains the public key information) for a trusted root certificate to Azure. 上传 .cer 文件后,Azure 可以使用该文件对已安装客户端证书(根据受信任根证书生成)的客户端进行身份验证。Once a.cer file is uploaded, Azure can use it to authenticate clients that have installed a client certificate generated from the trusted root certificate. 可在以后根据需要上传更多的受信任根证书文件(最多 20 个)。You can upload additional trusted root certificate files - up to a total of 20 - later, if needed.

可以在计算机上本地使用 PowerShell,按照 Azure 门户步骤You can use PowerShell locally on your computer, the Azure portal steps.

  1. 为证书名称声明变量,将值替换为自己的值。Declare the variable for your certificate name, replacing the value with your own.

    $P2SRootCertName = "P2SRootCert.cer"
    
  2. 将文件路径替换为自己的路径,并运行 cmdlet。Replace the file path with your own, and then run the cmdlets.

    $filePathForCert = "C:\cert\P2SRootCert.cer"
    $cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
    $CertBase64 = [system.convert]::ToBase64String($cert.RawData)
    $p2srootcert = New-AzVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64
    
  3. 将公钥信息上传到 Azure。Upload the public key information to Azure. 上传证书信息以后,Azure 就会将该证书视为受信任的根证书。Once the certificate information is uploaded, Azure considers it to be a trusted root certificate.

    Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname "VNet1GW" -ResourceGroupName "TestRG" -PublicCertData $CertBase64
    

7.安装已导出的客户端证书7. Install an exported client certificate

如果想要从另一台客户端计算机(而不是用于生成客户端证书的计算机)创建 P2S 连接,需要安装客户端证书。If you want to create a P2S connection from a client computer other than the one you used to generate the client certificates, you need to install a client certificate. 安装客户端证书时,需要使用导出客户端证书时创建的密码。When installing a client certificate, you need the password that was created when the client certificate was exported.

确保已将客户端证书与整个证书链(默认)一起作为 .pfx 导出。Make sure the client certificate was exported as a .pfx along with the entire certificate chain (which is the default). 否则,根证书信息就不会出现在客户端计算机上,客户端将无法进行正常的身份验证。Otherwise, the root certificate information isn't present on the client computer and the client won't be able to authenticate properly.

有关安装步骤,请参阅安装客户端证书For install steps, see Install a client certificate.

8.配置本机 VPN 客户端8. Configure the native VPN client

VPN 客户端配置文件包含的设置用来对设备进行配置以通过 P2S 连接来连接到 VNet。The VPN client configuration files contain settings to configure devices to connect to a VNet over a P2S connection. 有关生成和安装 VPN 客户端配置文件的说明,请参阅为本机 Azure 证书身份验证 P2S 配置创建和安装 VPN 客户端配置文件For instructions to generate and install VPN client configuration files, see Create and install VPN client configuration files for native Azure certificate authentication P2S configurations.

9.连接到 Azure9. Connect to Azure

从 Windows VPN 客户端进行连接To connect from a Windows VPN client

Note

在要从其进行连接的 Windows 客户端计算机上,你必须拥有管理员权限。You must have Administrator rights on the Windows client computer from which you are connecting.

  1. 若要连接到 VNet,请在客户端计算机上导航到 VPN 连接,找到创建的 VPN 连接。To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN connection that you created. 其名称与虚拟网络的名称相同。It is named the same name as your virtual network. 单击“连接” 。Click Connect. 可能会出现与使用证书相关的弹出消息。A pop-up message may appear that refers to using the certificate. 单击“继续”使用提升的权限。Click Continue to use elevated privileges.

  2. 在“连接”状态页上,单击“连接”以启动连接。On the Connection status page, click Connect to start the connection. 如果看到“选择证书”屏幕,请确保所显示的客户端证书是要用来连接的证书。If you see a Select Certificate screen, verify that the client certificate showing is the one that you want to use to connect. 如果不是,请使用下拉箭头选择正确的证书,并单击“确定”。If it is not, use the drop-down arrow to select the correct certificate, and then click OK.

    VPN 客户端连接到 Azure

  3. 连接已建立。Your connection is established.

    已建立连接

对 Windows 客户端 P2S 连接进行故障排除Troubleshooting Windows client P2S connections

如果在连接时遇到问题,请检查以下项:If you have trouble connecting, check the following items:

  • 如果你已通过证书导出向导导出客户端证书,请确保已将其导出为 .pfx 文件并选中了“包括证书路径中的所有证书(如果可能)”。If you exported a client certificate with Certificate Export Wizard, make sure that you exported it as a .pfx file and selected Include all certificates in the certification path if possible. 使用此值将其导出时,也会导出根证书信息。When you export it with this value, the root certificate information is also exported. 在客户端计算机上安装证书后,还会安装 .pfx 文件中的根证书。After you install the certificate on the client computer, the root certificate in the .pfx file is also installed. 若要验证是否安装了根证书,请打开“管理用户证书”,然后选择“受信任的根证书颁发机构\证书”。To verify that the root certificate is installed, open Manage user certificates and select Trusted Root Certification Authorities\Certificates. 验证是否列出了根证书,必须存在根证书才能进行身份验证。Verify that the root certificate is listed, which must be present for authentication to work.

  • 如果使用的是由企业 CA 解决方案颁发的证书,并且无法进行身份验证,请在客户端证书上验证身份验证顺序。If you used a certificate that was issued by an Enterprise CA solution and you can't authenticate, verify the authentication order on the client certificate. 通过双击客户端证书,选择“详细信息”选项卡并选择“增强型密钥用法”来检查身份验证列表顺序。Check the authentication list order by double-clicking the client certificate, selecting the Details tab, and then selecting Enhanced Key Usage. 确保此列表中的第一项是“客户端身份验证”。Make sure Client Authentication is the first item in the list. 如果不是,请基于将“客户端身份验证”作为列表中第一项的用户模板颁发客户端证书。If it isn't, issue a client certificate based on the user template that has Client Authentication as the first item in the list.

  • 如需更多的 P2S 故障排除信息,请参阅排查 P2S 连接问题For additional P2S troubleshooting information, see Troubleshoot P2S connections.

从 Mac VPN 客户端进行连接To connect from a Mac VPN client

在“网络”对话框中,找到要使用的客户端配置文件,单击“连接”。From the Network dialog box, locate the client profile that you want to use, then click Connect. 请查看安装 - Mac (OS X) 获取详细说明。Check Install - Mac (OS X) for detailed instructions. 如果连接有问题,请验证虚拟网络网关是否未使用基本 SKU。If you are having trouble connecting, verify that the virtual network gateway is not using a Basic SKU. Mac 客户端不支持基本 SKU。Basic SKU is not supported for Mac clients.

Mac 连接

验证连接To verify your connection

这些说明适用于 Windows 客户端。These instructions apply to Windows clients.

  1. 如果要验证用户的 VPN 连接是否处于活动状态,请打开提升的命令提示符,并运行 ipconfig/allTo verify that your VPN connection is active, open an elevated command prompt, and run ipconfig/all.

  2. 查看结果。View the results. 请注意,收到的 IP 地址是在配置中指定的点到站点 VPN 客户端地址池中的地址之一。Notice that the IP address you received is one of the addresses within the Point-to-Site VPN Client Address Pool that you specified in your configuration. 结果与以下示例类似:The results are similar to this example:

    PPP adapter VNet1:
       Connection-specific DNS Suffix .:
       Description.....................: VNet1
       Physical Address................:
       DHCP Enabled....................: No
       Autoconfiguration Enabled.......: Yes
       IPv4 Address....................: 172.16.201.3(Preferred)
       Subnet Mask.....................: 255.255.255.255
       Default Gateway.................:
       NetBIOS over Tcpip..............: Enabled
    

连接到虚拟机To connect to a virtual machine

这些说明适用于 Windows 客户端。These instructions apply to Windows clients.

可以连接到已部署到 VNet 的 VM,方法是创建到 VM 的远程桌面连接。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 若要通过初始验证来确认能否连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 这种方式是测试能否进行连接,而不是测试名称解析是否已正确配置。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位专用 IP 地址。Locate the private IP address. 查找 VM 的专用 IP 地址时,可以通过 Azure 门户或 PowerShell 查看 VM 的属性。You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.

    • Azure 门户 - 在 Azure 门户中定位虚拟机。Azure portal - Locate your virtual machine in the Azure portal. 查看 VM 的属性。View the properties for the VM. 专用 IP 地址已列出。The private IP address is listed.

    • PowerShell - 通过此示例查看资源组中的 VM 和专用 IP 地址的列表。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 在使用此示例之前无需对其进行修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. 验证是否已使用点到站点 VPN 连接连接到 VNet。Verify that you are connected to your VNet using the Point-to-Site VPN connection.

  3. 打开远程桌面连接,方法是:在任务栏的搜索框中键入“RDP”或“远程桌面连接”,并选择“远程桌面连接”。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 也可在 PowerShell 中使用“mstsc”命令打开远程桌面连接。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在远程桌面连接中,输入 VM 的专用 IP 地址。In Remote Desktop Connection, enter the private IP address of the VM. 可以通过单击“显示选项”来调整其他设置,并进行连接。You can click "Show Options" to adjust additional settings, then connect.

排查到 VM 的 RDP 连接的问题To troubleshoot an RDP connection to a VM

如果无法通过 VPN 连接连接到虚拟机,请检查以下项目:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.
  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you are connecting to the private IP address for the VM.
  • 使用“ipconfig”检查分配给以太网适配器的 IPv4 地址,该适配器所在的计算机正是要从其进行连接的计算机。Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are connecting. 如果该 IP 地址位于要连接到的 VNet 的地址范围内,或者位于 VPNClientAddressPool 的地址范围内,则称为地址空间重叠。If the IP address is within the address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. 当地址空间以这种方式重叠时,网络流量不会抵达 Azure,而是呆在本地网络中。When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • 验证是否在为 VNet 指定 DNS 服务器 IP 地址之后,才生成 VPN 客户端配置包。Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the VNet. 如果更新了 DNS 服务器 IP 地址,请生成并安装新的 VPN 客户端配置包。If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.
  • 若要详细了解 RDP 连接,请参阅排查远程桌面连接到 VM 的问题For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

添加或删除根证书To add or remove a root certificate

可以在 Azure 中添加和删除受信任的根证书。You can add and remove trusted root certificates from Azure. 删除根证书时,如果客户端的证书是从该根证书生成的,则客户端不能进行身份验证,因此无法进行连接。When you remove a root certificate, clients that have a certificate generated from the root certificate can't authenticate and won't be able to connect. 如果希望客户端进行身份验证和连接,则需安装新客户端证书,该证书是从委托(上传)给 Azure 的根证书生成的。If you want a client to authenticate and connect, you need to install a new client certificate generated from a root certificate that is trusted (uploaded) to Azure.

添加受信任的根证书To add a trusted root certificate

最多可以将 20 个根证书 .cer 文件添加到 Azure。You can add up to 20 root certificate .cer files to Azure. 以下步骤用于添加根证书:The following steps help you add a root certificate:

方法 1Method 1

此方法是上传根证书的最有效方法。This method is the most efficient way to upload a root certificate.

  1. 准备要上传的 .cer 文件:Prepare the .cer file to upload:

    $filePathForCert = "C:\cert\P2SRootCert3.cer"
    $cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
    $CertBase64_3 = [system.convert]::ToBase64String($cert.RawData)
    $p2srootcert = New-AzVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64_3
    
  2. 上传该文件。Upload the file. 一次只能上传一个文件。You can only upload one file at a time.

    Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname "VNet1GW" -ResourceGroupName "TestRG" -PublicCertData $CertBase64_3
    
  3. 若要验证是否已上传证书文件,请执行以下操作:To verify that the certificate file uploaded:

    Get-AzVpnClientRootCertificate -ResourceGroupName "TestRG" `
    -VirtualNetworkGatewayName "VNet1GW"
    

方法 2 - Azure 门户Method 2 - Azure portal

此方法的步骤多于方法 1,但结果相同。This method has more steps than Method 1, but has the same result. 包括此方法是考虑到你可能需要查看证书数据。It is included in case you need to view the certificate data.

  1. 创建并准备要添加到 Azure 的新根证书。Create and prepare the new root certificate to add to Azure. 将公钥导出为 Base-64 编码 X.509 (.CER) 文件并使用文本编辑器打开它。Export the public key as a Base-64 encoded X.509 (.CER) and open it with a text editor. 复制值,如以下示例所示:Copy the values, as shown in the following example:

    证书

    Note

    复制证书数据时,请确保将文本复制为一个无回车符或换行符的连续行。When copying the certificate data, make sure that you copy the text as one continuous line without carriage returns or line feeds. 可能需要在文本编辑器中将视图修改为“显示符号/显示所有字符”以查看回车符和换行符。You may need to modify your view in the text editor to 'Show Symbol/Show all characters' to see the carriage returns and line feeds.

  2. 指定证书名称和密钥信息作为变量。Specify the certificate name and key information as a variable. 将信息替换为自己的值,如以下示例中所示:Replace the information with your own, as shown in the following example:

    $P2SRootCertName2 = "ARMP2SRootCert2.cer"
    $MyP2SCertPubKeyBase64_2 = "MIIC/zCCAeugAwIBAgIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAMBgxFjAUBgNVBAMTDU15UDJTUm9vdENlcnQwHhcNMTUxMjE5MDI1MTIxWhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw1NeVAyU1Jvb3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjIXoWy8xE/GF1OSIvUaA0bxBjZ1PJfcXkMWsHPzvhWc2esOKrVQtgFgDz4ggAnOUFEkFaszjiHdnXv3mjzE2SpmAVIZPf2/yPWqkoHwkmrp6BpOvNVOpKxaGPOuK8+dql1xcL0eCkt69g4lxy0FGRFkBcSIgVTViS9wjuuS7LPo5+OXgyFkAY3pSDiMzQCkRGNFgw5WGMHRDAiruDQF1ciLNojAQCsDdLnI3pDYsvRW73HZEhmOqRRnJQe6VekvBYKLvnKaxUTKhFIYwuymHBB96nMFdRUKCZIiWRIy8Hc8+sQEsAML2EItAjQv4+fqgYiFdSWqnQCPf/7IZbotgQIDAQABo00wSzBJBgNVHQEEQjBAgBAkuVrWvFsCJAdK5pb/eoCNoRowGDEWMBQGA1UEAxMNTXlQMlNSb290Q2VydIIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAA4IBAQA223veAZEIar9N12ubNH2+HwZASNzDVNqspkPKD97TXfKHlPlIcS43TaYkTz38eVrwI6E0yDk4jAuPaKnPuPYFRj9w540SvY6PdOUwDoEqpIcAVp+b4VYwxPL6oyEQ8wnOYuoAK1hhh20lCbo8h9mMy9ofU+RP6HJ7lTqupLfXdID/XevI8tW6Dm+C/wCeV3EmIlO9KUoblD/e24zlo3YzOtbyXwTIh34T0fO/zQvUuBqZMcIPfM1cDvqcqiEFLWvWKoAnxbzckye2uk1gHO52d8AVL3mGiX8wBJkjc/pMdxrEvvCzJkltBmqxTM6XjDJALuVh16qFlqgTWCIcb7ju"
    
  3. 添加新的根证书。Add the new root certificate. 一次只能添加一个证书。You can only add one certificate at a time.

    Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName2 -VirtualNetworkGatewayname "VNet1GW" -ResourceGroupName "TestRG" -PublicCertData $MyP2SCertPubKeyBase64_2
    
  4. 可以使用以下示例来验证是否已正确添加新证书。You can verify that the new certificate was added correctly by using the following example:

    Get-AzVpnClientRootCertificate -ResourceGroupName "TestRG" `
    -VirtualNetworkGatewayName "VNet1GW"
    

删除根证书To remove a root certificate

  1. 声明变量。Declare the variables.

    $GWName = "Name_of_virtual_network_gateway"
    $RG = "Name_of_resource_group"
    $P2SRootCertName2 = "ARMP2SRootCert2.cer"
    $MyP2SCertPubKeyBase64_2 = "MIIC/zCCAeugAwIBAgIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAMBgxFjAUBgNVBAMTDU15UDJTUm9vdENlcnQwHhcNMTUxMjE5MDI1MTIxWhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw1NeVAyU1Jvb3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjIXoWy8xE/GF1OSIvUaA0bxBjZ1PJfcXkMWsHPzvhWc2esOKrVQtgFgDz4ggAnOUFEkFaszjiHdnXv3mjzE2SpmAVIZPf2/yPWqkoHwkmrp6BpOvNVOpKxaGPOuK8+dql1xcL0eCkt69g4lxy0FGRFkBcSIgVTViS9wjuuS7LPo5+OXgyFkAY3pSDiMzQCkRGNFgw5WGMHRDAiruDQF1ciLNojAQCsDdLnI3pDYsvRW73HZEhmOqRRnJQe6VekvBYKLvnKaxUTKhFIYwuymHBB96nMFdRUKCZIiWRIy8Hc8+sQEsAML2EItAjQv4+fqgYiFdSWqnQCPf/7IZbotgQIDAQABo00wSzBJBgNVHQEEQjBAgBAkuVrWvFsCJAdK5pb/eoCNoRowGDEWMBQGA1UEAxMNTXlQMlNSb290Q2VydIIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAA4IBAQA223veAZEIar9N12ubNH2+HwZASNzDVNqspkPKD97TXfKHlPlIcS43TaYkTz38eVrwI6E0yDk4jAuPaKnPuPYFRj9w540SvY6PdOUwDoEqpIcAVp+b4VYwxPL6oyEQ8wnOYuoAK1hhh20lCbo8h9mMy9ofU+RP6HJ7lTqupLfXdID/XevI8tW6Dm+C/wCeV3EmIlO9KUoblD/e24zlo3YzOtbyXwTIh34T0fO/zQvUuBqZMcIPfM1cDvqcqiEFLWvWKoAnxbzckye2uk1gHO52d8AVL3mGiX8wBJkjc/pMdxrEvvCzJkltBmqxTM6XjDJALuVh16qFlqgTWCIcb7ju"
    
  2. 删除证书。Remove the certificate.

    Remove-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName2 -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG -PublicCertData $MyP2SCertPubKeyBase64_2
    
  3. 使用以下示例来验证是否已成功删除证书。Use the following example to verify that the certificate was removed successfully.

    Get-AzVpnClientRootCertificate -ResourceGroupName "TestRG" `
    -VirtualNetworkGatewayName "VNet1GW"
    

吊销客户端证书To revoke a client certificate

可以吊销客户端证书。You can revoke client certificates. 证书吊销列表用于选择性地拒绝基于单个客户端证书的点到站点连接。The certificate revocation list allows you to selectively deny Point-to-Site connectivity based on individual client certificates. 这不同于删除受信任的根证书。This is different than removing a trusted root certificate. 如果从 Azure 中删除受信任的根证书 .cer,它会吊销由吊销的根证书生成/签名的所有客户端证书的访问权限。If you remove a trusted root certificate .cer from Azure, it revokes the access for all client certificates generated/signed by the revoked root certificate. 如果吊销客户端证书而非根证书,则可继续使用从根证书生成的其他证书进行身份验证。Revoking a client certificate, rather than the root certificate, allows the other certificates that were generated from the root certificate to continue to be used for authentication.

常见的做法是使用根证书管理团队或组织级别的访问权限,并使用吊销的客户端证书针对单个用户进行精细的访问控制。The common practice is to use the root certificate to manage access at team or organization levels, while using revoked client certificates for fine-grained access control on individual users.

吊销客户端证书Revoke a client certificate

  1. 检索客户端证书指纹。Retrieve the client certificate thumbprint. 有关详细信息,请参阅如何检索证书的指纹For more information, see How to retrieve the Thumbprint of a Certificate.

  2. 将信息复制到一个文本编辑器,删除所有空格,使之成为一个连续的字符串。Copy the information to a text editor and remove all spaces so that it is a continuous string. 该字符串在下一步声明为变量。This string is declared as a variable in the next step.

  3. 声明变量。Declare the variables. 确保声明在前面的步骤中检索的指纹。Make sure to declare the thumbprint you retrieved in the previous step.

    $RevokedClientCert1 = "NameofCertificate"
    $RevokedThumbprint1 = "‎51ab1edd8da4cfed77e20061c5eb6d2ef2f778c7"
    $GWName = "Name_of_virtual_network_gateway"
    $RG = "Name_of_resource_group"
    
  4. 将指纹添加到已吊销证书的列表。Add the thumbprint to the list of revoked certificates. 添加指纹后,会显示“成功”。You see "Succeeded" when the thumbprint has been added.

    Add-AzVpnClientRevokedCertificate -VpnClientRevokedCertificateName $RevokedClientCert1 `
    -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG `
    -Thumbprint $RevokedThumbprint1
    
  5. 确认指纹已添加到证书吊销列表。Verify that the thumbprint was added to the certificate revocation list.

    Get-AzVpnClientRevokedCertificate -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG
    
  6. 添加指纹后,不再可以使用证书来连接。After the thumbprint has been added, the certificate can no longer be used to connect. 客户端在尝试使用此证书进行连接时,会收到一条消息,指出证书不再有效。Clients that try to connect using this certificate receive a message saying that the certificate is no longer valid.

恢复客户端证书To reinstate a client certificate

可以通过从吊销的客户端证书列表中删除指纹来恢复客户端证书。You can reinstate a client certificate by removing the thumbprint from the list of revoked client certificates.

  1. 声明变量。Declare the variables. 确保为需要恢复的证书声明正确的指纹。Make sure you declare the correct thumbprint for the certificate that you want to reinstate.

    $RevokedClientCert1 = "NameofCertificate"
    $RevokedThumbprint1 = "‎51ab1edd8da4cfed77e20061c5eb6d2ef2f778c7"
    $GWName = "Name_of_virtual_network_gateway"
    $RG = "Name_of_resource_group"
    
  2. 从证书吊销列表中删除证书指纹。Remove the certificate thumbprint from the certificate revocation list.

    Remove-AzVpnClientRevokedCertificate -VpnClientRevokedCertificateName $RevokedClientCert1 `
    -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG -Thumbprint $RevokedThumbprint1
    
  3. 检查指纹是否已从吊销列表中删除。Check if the thumbprint is removed from the revoked list.

    Get-AzVpnClientRevokedCertificate -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG
    

点到站点常见问题解答Point-to-Site FAQ

在我的点到站点配置中,可以有多少 VPN 客户端终结点?How many VPN client endpoints can I have in my Point-to-Site configuration?

这取决于网关 SKU。It depends on the gateway SKU. 有关支持的连接数的详细信息,请参阅网关 SKUFor more information on the number of connections supported, see Gateway SKUs.

点到站点连接可以用于哪些客户端操作系统?What client operating systems can I use with Point-to-Site?

支持以下客户端操作系统:The following client operating systems are supported:

  • Windows 7(32 位和 64 位)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2(仅 64 位)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1(32 位和 64 位)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012(仅 64 位)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2(仅 64 位)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016(仅 64 位)Windows Server 2016 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 版本 10.11 或更高版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

Note

从 2018 年 7 月 1 日开始,Azure VPN 网关将不再支持 TLS 1.0 和 1.1。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 网关将仅支持 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要保留支持,请参阅通过更新启用对 TLS1.2 的支持To maintain support, see the updates to enable support for TLS1.2.

另外,TLS 也将于 2018 年 7 月 1 日起弃用以下旧算法:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES(数据加密算法)DES (Data Encryption Algorithm)
  • 3DES(三重数据加密算法)3DES (Triple Data Encryption Algorithm)
  • MD5(消息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中启用对 TLS 1.2 的支持?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 右键单击“命令提示符”并选择“以管理员身份运行”,使用提升的权限打开命令提示符。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 在命令提示符窗口中运行以下命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安装以下更新:Install the following updates:

  4. 重启计算机。Reboot the computer.

  5. 连接到 VPN。Connect to the VPN.

Note

如果运行的是旧版本的 Windows 10 (10240),则必须设置上述注册表项。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

是否可以使用点到站点功能穿越代理和防火墙?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支持两种类型的点到站点 VPN 选项:Azure supports two types of Point-to-site VPN options:

  • 安全套接字隧道协议 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 专有的基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开了 443 SSL 使用的 TCP 端口。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是一个基于标准的 IPsec VPN 解决方案,它使用 UDP 端口 500 和 4500 以及 IP 协议号 IKEv2 VPN is a standards-based IPsec VPN solution that uses UDP port 500 and 4500 and IP protocol no. 50。50. 防火墙并非始终打开这些端口,因此,IKEv2 VPN 有可能无法穿过代理和防火墙。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果重新启动进行过点到站点配置的客户端计算机,是否会自动重新连接 VPN?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

默认情况下,客户端计算机不自动重新建立 VPN 连接。By default, the client computer will not reestablish the VPN connection automatically.

点到站点在 VPN 客户端上是否支持自动重新连接和 DDNS?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

点到站点 VPN 中当前不支持自动重新连接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

对于同一虚拟网络,站点到站点和点到站点配置能否共存?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

是的。Yes. 对于资源管理器部署模型,必须为网关使用 RouteBased VPN 类型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 对于经典部署模型,需要一个动态网关。For the classic deployment model, you need a dynamic gateway. 不支持将点到站点配置用于静态路由 VPN 网关或 PolicyBased VPN 网关。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

是否可以将点到站点客户端配置为同时连接到多个虚拟网络?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

否。No. 点到站点客户端只能连接到虚拟网络网关所在的 VNet 中的资源。A Point-to-Site client can only connect to resources in the VNet in which the virtual network gateway resides.

预计通过站点到站点连接或点到站点连接的吞吐量有多少?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很难维持 VPN 隧道的准确吞吐量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 是重重加密的 VPN 协议。IPsec and SSTP are crypto-heavy VPN protocols. 本地网络与 Internet 之间的延迟和带宽也限制了吞吐量。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 对于仅具有 IKEv2 点到站点 VPN 连接的 VPN 网关,期望可以实现的总吞吐量取决于网关 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 有关吞吐量的详细信息,请参阅网关 SKUFor more information on throughput, see Gateway SKUs.

是否可以将任何软件 VPN 客户端用于支持 SSTP 和/或 IKEv2 的点到站点配置?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

否。No. 只能将 Windows 上的本机 VPN 客户端用于 SSTP,只能将 Mac 上的本机 VPN 客户端用于 IKEv2。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 请参阅支持的客户端操作系统的列表。Refer to the list of supported client operating systems.

Azure 是否支持使用 Windows 的 IKEv2 VPN?Does Azure support IKEv2 VPN with Windows?

在 Windows 10 和 Server 2016 上支持 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 但是,若要使用 IKEv2,必须在本地安装更新并设置注册表项值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 以前的 OS 版本不受支持,并且只能使用 SSTP。OS versions prior to Windows 10 are not supported and can only use SSTP.

为运行 IKEv2 准备 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安装更新。Install the update.

    OS 版本OS version 日期Date 编号/链接Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 设置注册表项值。Set the registry key value. 在注册表中创建“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload”REG_DWORD 键或将其设置为 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

为 P2S VPN 连接配置 SSTP 和 IKEv2 时,会发生什么情况?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

在混合环境(包括 Windows 和 Mac 设备)中同时配置了 SSTP 和 IKEv2 时,Windows VPN 客户端始终将先尝试使用 IKEv2 隧道,但如果 IKEv2 连接不成功将回退到 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 将仅通过 IKEv2 进行连接。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 还支持在其他哪些平台上使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支持将 Windows、Mac 和 Linux 用于 P2S VPN。Azure supports Windows, Mac and Linux for P2S VPN.

我已部署 Azure VPN 网关。I already have an Azure VPN Gateway deployed. 是否可在该网关上启用 RADIUS 和/或 IKEv2 VPN?Can I enable RADIUS and/or IKEv2 VPN on it?

是的,可以使用 Powershell 或 Azure 门户在已部署的网关上启用这些新功能,前提是所用网关 SKU 支持 RADIUS 和/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 网关基本 SKU 不支持 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

是否可以将我自己的内部 PKI 根 CA 用于点到站点连接?Can I use my own internal PKI root CA for Point-to-Site connectivity?

是的。Yes. 以前只可使用自签名根证书。Previously, only self-signed root certificates could be used. 仍可上传 20 个根证书。You can still upload 20 root certificates.

可以使用哪些工具来创建证书?What tools can I use to create certificates?

可以使用企业 PKI 解决方案(内部 PKI)、Azure PowerShell、MakeCert 和 OpenSSL。You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.

是否有证书设置和参数的说明?Are there instructions for certificate settings and parameters?

  • 内部 PKI/企业 PKI 解决方案: 请参阅生成证书的步骤。Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.

  • Azure PowerShell: 请参阅 Azure PowerShell 一文了解相关步骤。Azure PowerShell: See the Azure PowerShell article for steps.

  • MakeCert: 请参阅 MakeCert 一文了解相关步骤。MakeCert: See the MakeCert article for steps.

  • OpenSSL:OpenSSL:

    • 导出证书时,请务必将根证书转换为 Base64。When exporting certificates, be sure to convert the root certificate to Base64.

    • 对于客户端证书:For the client certificate:

      • 创建私钥时,请将长度指定为 4096。When creating the private key, specify the length as 4096.
      • 创建证书时,对于 -extensions 参数,指定 usr_certWhen creating the certificate, for the -extensions parameter, specify usr_cert.

后续步骤Next steps

连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 有关详细信息,请参阅虚拟机For more information, see Virtual Machines. 若要详细了解网络和虚拟机,请参阅 Azure 和 Linux VM 网络概述To understand more about networking and virtual machines, see Azure and Linux VM network overview.

有关 P2S 故障排除信息,请参阅故障排除:Azure 点到站点连接问题For P2S troubleshooting information, Troubleshooting: Azure point-to-site connection problems.