为 S2S VPN 或 VNet 到 VNet 的连接配置 IPsec/IKE 策略Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections

本文逐步讲解如何使用资源管理器部署模型和 PowerShell 为站点到站点的 VPN 或 VNet 到 VNet 的连接配置 IPsec/IKE 策略。This article walks you through the steps to configure IPsec/IKE policy for Site-to-Site VPN or VNet-to-VNet connections using the Resource Manager deployment model and PowerShell.

关于 Azure VPN 网关的 IPsec 和 IKE 策略参数About IPsec and IKE policy parameters for Azure VPN gateways

IPsec 和 IKE 协议标准支持采用各种组合的各种加密算法。IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations. 请参阅关于加密要求和 Azure VPN 网关,了解如何据此确保跨界的和 VNet 到 VNet 的连接满足符合性或安全性要求。Refer to About cryptographic requirements and Azure VPN gateways to see how this can help ensuring cross-premises and VNet-to-VNet connectivity satisfy your compliance or security requirements.

本文介绍如何创建和配置 IPsec/IKE 策略,并将其应用于新的或现有的连接:This article provides instructions to create and configure an IPsec/IKE policy and apply to a new or existing connection:

重要

  1. 请注意,IPsec/IKE 策略仅适用于以下网关 SKU:Note that IPsec/IKE policy only works on the following gateway SKUs:
    • VpnGw1、VpnGw2、VpnGw3(基于路由)VpnGw1, VpnGw2, VpnGw3 (route-based)
    • StandardHighPerformance(基于路由)Standard and HighPerformance (route-based)
  2. 一个给定的连接只能指定一个策略组合。You can only specify one policy combination for a given connection.
  3. 必须指定 IKE(主模式)和 IPsec(快速模式)的所有算法和参数。You must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). 不允许指定部分策略。Partial policy specification is not allowed.
  4. 请查阅 VPN 设备供应商规范,确保本地 VPN 设备支持该策略。Consult with your VPN device vendor specifications to ensure the policy is supported on your on-premises VPN devices. 如果策略不兼容,则无法建立 S2S 或 VNet 到 VNet 的连接。S2S or VNet-to-VNet connections cannot establish if the policies are incompatible.

第 1 部分 - 创建和设置 IPsec/IKE 策略的工作流Part 1 - Workflow to create and set IPsec/IKE policy

本部分概述了针对 S2S VPN 或 VNet 到 VNet 的连接创建和更新 IPsec/IKE 策略的工作流:This section outlines the workflow to create and update IPsec/IKE policy on a S2S VPN or VNet-to-VNet connection:

  1. 创建虚拟网络和 VPN 网关Create a virtual network and a VPN gateway
  2. 创建用于跨界连接的本地网关,或用于 VNet 到 VNet 的连接的另一虚拟网络和网关Create a local network gateway for cross premises connection, or another virtual network and gateway for VNet-to-VNet connection
  3. 使用选定的算法和参数创建 IPsec/IKE 策略Create an IPsec/IKE policy with selected algorithms and parameters
  4. 创建采用 IPsec/IKE 策略的连接(IPsec 或 VNet2VNet)Create a connection (IPsec or VNet2VNet) with the IPsec/IKE policy
  5. 为现有连接添加/更新/删除 IPsec/IKE 策略Add/update/remove an IPsec/IKE policy for an existing connection

本文中的说明可帮助按下图所示设置和配置 IPsec/IKE 策略:The instructions in this article helps you set up and configure IPsec/IKE policies as shown in the diagram:

ipsec-ike-policy

第 2 部分 - 支持的加密算法和密钥强度Part 2 - Supported cryptographic algorithms & key strengths

下表列出了支持的加密算法和密钥强度,客户可自行配置:The following table lists the supported cryptographic algorithms and key strengths configurable by the customers:

IPsec/IKEv2IPsec/IKEv2 选项Options
IKEv2 加密IKEv2 Encryption AES256、AES192、AES128、DES3、DESAES256, AES192, AES128, DES3, DES
IKEv2 完整性IKEv2 Integrity SHA384、SHA256、SHA1、MD5SHA384, SHA256, SHA1, MD5
DH 组DH Group DHGroup24、ECP384、ECP256、DHGroup14、DHGroup2048、DHGroup2、DHGroup1、无DHGroup24, ECP384, ECP256, DHGroup14, DHGroup2048, DHGroup2, DHGroup1, None
IPsec 加密IPsec Encryption GCMAES256、GCMAES192、GCMAES128、AES256、AES192、AES128、DES3、DES、无GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None
IPsec 完整性IPsec Integrity GCMASE256、GCMAES192、GCMAES128、SHA256、SHA1、MD5GCMASE256, GCMAES192, GCMAES128, SHA256, SHA1, MD5
PFS 组PFS Group PFS24、ECP384、ECP256、PFS2048、PFS2、PFS1、无PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None
QM SA 生存期QM SA Lifetime 可选:如果未指定,则使用默认值)(Optional: default values are used if not specified)
秒(整数; 至少为 300 秒/默认为 27000 秒)Seconds (integer; min. 300/default 27000 seconds)
KB(整数; 至少为 1024 KB/默认为 102400000 KB)KBytes (integer; min. 1024/default 102400000 KBytes)
流量选择器Traffic Selector UsePolicyBasedTrafficSelectors**($True/$False; 可选,如果未指定,则使用默认值 $False)UsePolicyBasedTrafficSelectors** ($True/$False; Optional, default $False if not specified)

重要

  1. 本地 VPN 设备配置必须匹配或者包含你在 Azure IPsec/IKE 策略中指定的以下算法和参数:Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy:

    • IKE 加密算法(主模式 / 阶段 1)IKE encryption algorithm (Main Mode / Phase 1)
    • IKE 完整性算法(主模式 / 阶段 1)IKE integrity algorithm (Main Mode / Phase 1)
    • DH 组(主模式 / 阶段 1)DH Group (Main Mode / Phase 1)
    • IPsec 加密算法(快速模式 / 阶段 2)IPsec encryption algorithm (Quick Mode / Phase 2)
    • IPsec 完整性算法(快速模式 / 阶段 2)IPsec integrity algorithm (Quick Mode / Phase 2)
    • PFS 组(快速模式 / 阶段 2)PFS Group (Quick Mode / Phase 2)
    • 流量选择器(如果使用了 UsePolicyBasedTrafficSelectors)Traffic Selector (if UsePolicyBasedTrafficSelectors is used)
    • SA 生存期是本地规范,不需匹配。The SA lifetimes are local specifications only, do not need to match.
  2. 如果使用 GCMAES 作为 IPsec 加密算法,则必须选择相同的 GCMAES 算法和密钥长度以保证 IPsec 完整性,例如对这两者使用 GCMAES128If GCMAES is used as for IPsec Encryption algorithm, you must select the same GCMAES algorithm and key length for IPsec Integrity; for example, using GCMAES128 for both

  3. 在上表中:In the table above:

    • IKEv2 对应于主模式或阶段 1IKEv2 corresponds to Main Mode or Phase 1
    • IPsec 对应于快速模式或阶段 2IPsec corresponds to Quick Mode or Phase 2
    • DH 组指定在主模式或阶段 1 中使用的 Diffie-Hellmen 组DH Group specifies the Diffie-Hellmen Group used in Main Mode or Phase 1
    • PFS 组指定在快速模式或阶段 2 中使用的 Diffie-Hellmen 组PFS Group specified the Diffie-Hellmen Group used in Quick Mode or Phase 2
  4. 在 Azure VPN 网关上,IKEv2 主模式 SA 生存期固定为 28,800 秒IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways

  5. 对于连接,将“UsePolicyBasedTrafficSelectors”设置为 $True,此时会配置 Azure VPN 网关,以连接到基于策略的本地 VPN 防火墙。Setting "UsePolicyBasedTrafficSelectors" to $True on a connection will configure the Azure VPN gateway to connect to policy-based VPN firewall on premises. 如果启用 PolicyBasedTrafficSelectors,则需确保对于本地网络(本地网关)前缀与 Azure 虚拟网络前缀的所有组合,VPN 设备都定义了与之匹配的(而不是任意到任意)流量选择器。If you enable PolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. 例如,如果本地网络前缀为 10.1.0.0/16 和 10.2.0.0/16,虚拟网络前缀为 192.168.0.0/16 和 172.16.0.0/16,则需指定以下流量选择器:For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:

    • 10.1.0.0/16 <====> 192.168.0.0/1610.1.0.0/16 <====> 192.168.0.0/16
    • 10.1.0.0/16 <====> 172.16.0.0/1610.1.0.0/16 <====> 172.16.0.0/16
    • 10.2.0.0/16 <====> 192.168.0.0/1610.2.0.0/16 <====> 192.168.0.0/16
    • 10.2.0.0/16 <====> 172.16.0.0/1610.2.0.0/16 <====> 172.16.0.0/16

有关基于策略的流量选择器的详细信息,请参阅连接多个基于策略的本地 VPN 设备For more information regarding policy-based traffic selectors, see Connect multiple on-premises policy-based VPN devices.

下表列出了自定义策略支持的相应 Diffie-Hellman 组:The following table lists the corresponding Diffie-Hellman Groups supported by the custom policy:

Diffie-Hellman 组Diffie-Hellman Group DHGroupDHGroup PFSGroupPFSGroup 密钥长度Key length
11 DHGroup1DHGroup1 PFS1PFS1 768 位 MODP768-bit MODP
22 DHGroup2DHGroup2 PFS2PFS2 1024 位 MODP1024-bit MODP
1414 DHGroup14DHGroup14
DHGroup2048DHGroup2048
PFS2048PFS2048 2048 位 MODP2048-bit MODP
1919 ECP256ECP256 ECP256ECP256 256 位 ECP256-bit ECP
20 个20 ECP384ECP384 ECP384ECP384 384 位 ECP384-bit ECP
2424 DHGroup24DHGroup24 PFS24PFS24 2048 位 MODP2048-bit MODP

有关更多详细信息,请参阅 RFC3526RFC5114Refer to RFC3526 and RFC5114 for more details.

第 3 部分 - 新建采用 IPsec/IKE 策略的 S2S VPN 连接Part 3 - Create a new S2S VPN connection with IPsec/IKE policy

本部分将逐步介绍如何创建采用 IPsec/IKE 策略的 S2S VPN 连接。This section walks you through the steps of creating a S2S VPN connection with an IPsec/IKE policy. 下面的步骤将创建如图所示的连接:The following steps create the connection as shown in the diagram:

s2s-policy

请参阅创建 S2S VPN 连接,详细了解创建 S2S VPN 连接的分步介绍。See Create a S2S VPN connection for more detailed step-by-step instructions for creating a S2S VPN connection.

准备工作Before you begin

  • 确保拥有 Azure 订阅。Verify that you have an Azure subscription. 如果还没有 Azure 订阅,可以注册一个试用版帐户If you don't already have an Azure subscription, you can sign up for a Trial Account.
  • 安装 Azure 资源管理器 PowerShell cmdlet。Install the Azure Resource Manager PowerShell cmdlets. 有关安装 PowerShell cmdlet 的详细信息,请参阅 Azure PowerShell 概述See Overview of Azure PowerShell for more information about installing the PowerShell cmdlets.

步骤 1 - 创建虚拟网络、VPN 网关和本地网关Step 1 - Create the virtual network, VPN gateway, and local network gateway

1.声明变量1. Declare your variables

对于本练习,我们首先要声明变量。For this exercise, we start by declaring our variables. 请务必在配置生产环境时,使用自己的值来替换该值。Be sure to replace the values with your own when configuring for production.

$Sub1          = "<YourSubscriptionName>"
$RG1           = "TestPolicyRG1"
$Location1     = "China North"
$VNetName1     = "TestVNet1"
$FESubName1    = "FrontEnd"
$BESubName1    = "Backend"
$GWSubName1    = "GatewaySubnet"
$VNetPrefix11  = "10.11.0.0/16"
$VNetPrefix12  = "10.12.0.0/16"
$FESubPrefix1  = "10.11.0.0/24"
$BESubPrefix1  = "10.12.0.0/24"
$GWSubPrefix1  = "10.12.255.0/27"
$DNS1          = "8.8.8.8"
$GWName1       = "VNet1GW"
$GW1IPName1    = "VNet1GWIP1"
$GW1IPconf1    = "gw1ipconf1"
$Connection16  = "VNet1toSite6"

$LNGName6      = "Site6"
$LNGPrefix61   = "10.61.0.0/16"
$LNGPrefix62   = "10.62.0.0/16"
$LNGIP6        = "131.107.72.22"

2.连接到订阅并创建新资源组2. Connect to your subscription and create a new resource group

确保切换到 PowerShell 模式,以便使用Resource Manager cmdlet。Make sure you switch to PowerShell mode to use the Resource Manager cmdlets. 有关详细信息,请参阅将 Windows PowerShell 与资源管理器配合使用For more information, see Using Windows PowerShell with Resource Manager.

打开 PowerShell 控制台并连接到帐户。Open your PowerShell console and connect to your account. 使用下面的示例来帮助连接:Use the following sample to help you connect:

Connect-AzAccount -Environment AzureChinaCloud
Select-AzSubscription -SubscriptionName $Sub1
New-AzResourceGroup -Name $RG1 -Location $Location1

3.创建虚拟网络、VPN 网关和本地网关3. Create the virtual network, VPN gateway, and local network gateway

以下示例创建具有三个子网的虚拟网络 TestVNet1 和 VPN 网关。The following sample creates the virtual network, TestVNet1, with three subnets, and the VPN gateway. 替换值时,请务必始终将网关子网特意命名为 GatewaySubnet。When substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet. 如果命名为其他名称,网关创建会失败。If you name it something else, your gateway creation fails.

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1
$besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
$gwsub1 = New-AzVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1

New-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 -Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1

$gw1pip1    = New-AzPublicIpAddress -Name $GW1IPName1 -ResourceGroupName $RG1 -Location $Location1 -AllocationMethod Dynamic
$vnet1      = Get-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1
$subnet1    = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1
$gw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GW1IPconf1 -Subnet $subnet1 -PublicIpAddress $gw1pip1

New-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 -Location $Location1 -IpConfigurations $gw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

New-AzLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1 -Location $Location1 -GatewayIpAddress $LNGIP6 -AddressPrefix $LNGPrefix61,$LNGPrefix62

步骤 2 - 创建采用 IPsec/IKE 策略的 S2S VPN 连接Step 2 - Create a S2S VPN connection with an IPsec/IKE policy

1.创建 IPsec/IKE 策略1. Create an IPsec/IKE policy

下方示例脚本使用以下算法和参数创建 IPsec/IKE 策略:The following sample script creates an IPsec/IKE policy with the following algorithms and parameters:

  • IKEv2:AES256、SHA384、DHGroup24IKEv2: AES256, SHA384, DHGroup24
  • IPsec:AES256、SHA256、PFS 无、SA 生存期 14400 秒和 102400000KBIPsec: AES256, SHA256, PFS None, SA Lifetime 14400 seconds & 102400000KB
$ipsecpolicy6 = New-AzIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

如果将 GCMAES 用于 IPsec,必须为 IPsec 加密和完整性使用相同的 GCMAES 算法和密钥长度。If you use GCMAES for IPsec, you must use the same GCMAES algorithm and key length for both IPsec encryption and integrity. 对于以上示例,使用 GCMAES256 时的对应参数会是“-IpsecEncryption GCMAES256 -IpsecIntegrity GCMAES256”。For example above, the corresponding parameters will be "-IpsecEncryption GCMAES256 -IpsecIntegrity GCMAES256" when using GCMAES256.

2.创建采用 IPsec/IKE 策略的 S2S VPN 连接2. Create the S2S VPN connection with the IPsec/IKE policy

创建 S2S VPN 连接并应用之前创建的 IPsec/IKE 策略。Create an S2S VPN connection and apply the IPsec/IKE policy created earlier.

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1  -ResourceGroupName $RG1
$lng6 = Get-AzLocalNetworkGateway  -Name $LNGName6 -ResourceGroupName $RG1

New-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -IpsecPolicies $ipsecpolicy6 -SharedKey 'AzureA1b2C3'

可选择将“-UsePolicyBasedTrafficSelectors $True”添加到 create connection cmdlet 中,使 Azure VPN 网关能够连接到基于策略的本地 VPN 设备,如上所述。You can optionally add "-UsePolicyBasedTrafficSelectors $True" to the create connection cmdlet to enable Azure VPN gateway to connect to policy-based VPN devices on premises, as described above.

重要

对连接指定 IPsec/IKE 策略后,Azure VPN 网关将仅发送或接受对该特定连接采用指定加密算法和密钥强度的 IPsec/IKE 方案。Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway will only send or accept the IPsec/IKE proposal with specified cryptographic algorithms and key strengths on that particular connection. 确保连接的本地 VPN 设备使用或接受确切策略组合,否则无法建立 S2S VPN 隧道。Make sure your on-premises VPN device for the connection uses or accepts the exact policy combination, otherwise the S2S VPN tunnel will not establish.

第 4 部分 - 新建采用 IPsec/IKE 策略的 VNet 到 VNet 的连接Part 4 - Create a new VNet-to-VNet connection with IPsec/IKE policy

创建采用 IPsec/IKE 策略的 VNet 到 VNet 的连接时,其步骤与创建 S2S VPN 连接的步骤类似。The steps of creating a VNet-to-VNet connection with an IPsec/IKE policy are similar to that of a S2S VPN connection. 下面的示例脚本将创建如图所示的连接:The following sample scripts create the connection as shown in the diagram:

v2v-policy

请参阅创建 VNet 到 VNet 的连接,详细了解创建 VNet 到 VNet 的连接的步骤。See Create a VNet-to-VNet connection for more detailed steps for creating a VNet-to-VNet connection. 必须完成第 3 部分,才能创建和配置 TestVNet1 与 VPN 网关。You must complete Part 3 to create and configure TestVNet1 and the VPN Gateway.

步骤 1 - 创建第二虚拟网络和 VPN 网关Step 1 - Create the second virtual network and VPN gateway

1.声明变量1. Declare your variables

请务必将值替换为要用于配置的值。Be sure to replace the values with the ones that you want to use for your configuration.

$RG2          = "TestPolicyRG2"
$Location2    = "China North"
$VNetName2    = "TestVNet2"
$FESubName2   = "FrontEnd"
$BESubName2   = "Backend"
$GWSubName2   = "GatewaySubnet"
$VNetPrefix21 = "10.21.0.0/16"
$VNetPrefix22 = "10.22.0.0/16"
$FESubPrefix2 = "10.21.0.0/24"
$BESubPrefix2 = "10.22.0.0/24"
$GWSubPrefix2 = "10.22.255.0/27"
$DNS2         = "8.8.8.8"
$GWName2      = "VNet2GW"
$GW2IPName1   = "VNet2GWIP1"
$GW2IPconf1   = "gw2ipconf1"
$Connection21 = "VNet2toVNet1"
$Connection12 = "VNet1toVNet2"

2.在新资源组中创建第二个虚拟网络和 VPN 网关2. Create the second virtual network and VPN gateway in the new resource group

New-AzResourceGroup -Name $RG2 -Location $Location2

$fesub2 = New-AzVirtualNetworkSubnetConfig -Name $FESubName2 -AddressPrefix $FESubPrefix2
$besub2 = New-AzVirtualNetworkSubnetConfig -Name $BESubName2 -AddressPrefix $BESubPrefix2
$gwsub2 = New-AzVirtualNetworkSubnetConfig -Name $GWSubName2 -AddressPrefix $GWSubPrefix2

New-AzVirtualNetwork -Name $VNetName2 -ResourceGroupName $RG2 -Location $Location2 -AddressPrefix $VNetPrefix21,$VNetPrefix22 -Subnet $fesub2,$besub2,$gwsub2

$gw2pip1    = New-AzPublicIpAddress -Name $GW2IPName1 -ResourceGroupName $RG2 -Location $Location2 -AllocationMethod Dynamic
$vnet2      = Get-AzVirtualNetwork -Name $VNetName2 -ResourceGroupName $RG2
$subnet2    = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet2
$gw2ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GW2IPconf1 -Subnet $subnet2 -PublicIpAddress $gw2pip1

New-AzVirtualNetworkGateway -Name $GWName2 -ResourceGroupName $RG2 -Location $Location2 -IpConfigurations $gw2ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku HighPerformance

步骤 2 - 创建采用 IPsec/IKE 策略的 VNet 到 VNet 的连接Step 2 - Create a VNet-toVNet connection with the IPsec/IKE policy

使用与创建 S2S VPN 连接类似的方法,创建 IPsec/IKE 策略,然后将其应用于新的连接。Similar to the S2S VPN connection, create an IPsec/IKE policy then apply to policy to the new connection.

1.创建 IPsec/IKE 策略1. Create an IPsec/IKE policy

下方示例脚本使用以下算法和参数创建其他 IPsec/IKE 策略:The following sample script creates a different IPsec/IKE policy with the following algorithms and parameters:

  • IKEv2:AES128、SHA1、DHGroup14IKEv2: AES128, SHA1, DHGroup14
  • IPsec:GCMAES128、GCMAES128、PFS14、SA Lifetime 14400 seconds & 102400000KBIPsec: GCMAES128, GCMAES128, PFS14, SA Lifetime 14400 seconds & 102400000KB
$ipsecpolicy2 = New-AzIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption GCMAES128 -IpsecIntegrity GCMAES128 -PfsGroup PFS14 -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

2.创建采用 IPsec/IKE 策略的 VNet 到 VNet 的连接2. Create VNet-to-VNet connections with the IPsec/IKE policy

创建 VNet 到 VNet 的连接并应用创建的 IPsec/IKE 策略。Create a VNet-to-VNet connection and apply the IPsec/IKE policy you created. 在此示例中,这两个网关位于同一订阅中。In this example, both gateways are in the same subscription. 因此,可在同一 PowerShell 会话中创建并配置采用相同 IPsec/IKE 策略的两个连接。So it is possible to create and configure both connections with the same IPsec/IKE policy in the same PowerShell session.

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1  -ResourceGroupName $RG1
$vnet2gw = Get-AzVirtualNetworkGateway -Name $GWName2  -ResourceGroupName $RG2

New-AzVirtualNetworkGatewayConnection -Name $Connection12 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -VirtualNetworkGateway2 $vnet2gw -Location $Location1 -ConnectionType Vnet2Vnet -IpsecPolicies $ipsecpolicy2 -SharedKey 'AzureA1b2C3'

New-AzVirtualNetworkGatewayConnection -Name $Connection21 -ResourceGroupName $RG2 -VirtualNetworkGateway1 $vnet2gw -VirtualNetworkGateway2 $vnet1gw -Location $Location2 -ConnectionType Vnet2Vnet -IpsecPolicies $ipsecpolicy2 -SharedKey 'AzureA1b2C3'

重要

对连接指定 IPsec/IKE 策略后,Azure VPN 网关将仅发送或接受对该特定连接采用指定加密算法和密钥强度的 IPsec/IKE 方案。Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway will only send or accept the IPsec/IKE proposal with specified cryptographic algorithms and key strengths on that particular connection. 确保两个连接的 IPsec 策略相同,否则无法建立 VNet 到 VNet 的连接。Make sure the IPsec policies for both connections are the same, otherwise the VNet-to-VNet connection will not establish.

完成这些步骤后,将在几分钟内建立连接,你将拥有如开头所示的以下网络拓扑:After completing these steps, the connection is established in a few minutes, and you will have the following network topology as shown in the beginning:

ipsec-ike-policy

第 5 部分 - 更新连接的 IPsec/IKE 策略Part 5 - Update IPsec/IKE policy for a connection

最后一部分介绍如何管理现有 S2S 或 VNet 到 VNet 的连接的 IPsec/IKE 策略。The last section shows you how to manage IPsec/IKE policy for an existing S2S or VNet-to-VNet connection. 下面的练习将逐步介绍如何对连接执行以下操作:The exercise below walks you through the following operations on a connection:

  1. 显示连接的 IPsec/IKE 策略Show the IPsec/IKE policy of a connection
  2. 为连接添加或更新 IPsec/IKE 策略Add or update the IPsec/IKE policy to a connection
  3. 删除连接的 IPsec/IKE 策略Remove the IPsec/IKE policy from a connection

同样的步骤适用于 S2S 和 VNet 到 VNet 的连接。The same steps apply to both S2S and VNet-to-VNet connections.

重要

IPsec/IKE 策略仅受基于路由的标准 VPN 网关和高性能 VPN 网关支持 。IPsec/IKE policy is supported on Standard and HighPerformance route-based VPN gateways only. 它不适用于基本网关 SKU 或基于策略的 VPN 网关。It does not work on the Basic gateway SKU or the policy-based VPN gateway.

1.显示连接的 IPsec/IKE 策略1. Show the IPsec/IKE policy of a connection

以下示例演示如何对连接配置 IPsec/IKE 策略。The following example shows how to get the IPsec/IKE policy configured on a connection. 该脚本也源自上面的练习。The scripts also continue from the exercises above.

$RG1          = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6  = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.IpsecPolicies

最后一个命令列出了对连接配置的最新 IPsec/IKE 策略(如果有)。The last command lists the current IPsec/IKE policy configured on the connection, if there is any. 以下是用于连接的示例输出:The following is a sample output for the connection:

SALifeTimeSeconds   : 14400
SADataSizeKilobytes : 102400000
IpsecEncryption     : AES256
IpsecIntegrity      : SHA256
IkeEncryption       : AES256
IkeIntegrity        : SHA384
DhGroup             : DHGroup24
PfsGroup            : PFS24

如果没有配置 IPsec/IKE 策略,则命令 (PS> $connection6.IpsecPolicies) 返回的值为空。If there is no IPsec/IKE policy configured, the command (PS> $connection6.IpsecPolicies) gets an empty return. 这并不意味着未对连接配置 IPsec/IKE,而是表示没有自定义 IPsec/IKE 策略。It does not mean IPsec/IKE is not configured on the connection, but that there is no custom IPsec/IKE policy. 实际连接使用本地 VPN 设备和 Azure VPN 网关之间协商的默认策略。The actual connection uses the default policy negotiated between your on-premises VPN device and the Azure VPN gateway.

2.为连接添加或更新 IPsec/IKE 策略2. Add or update an IPsec/IKE policy for a connection

对连接添加新策略或更新现有策略的步骤相同,即:创建新策略,然后将新策略应用于连接。The steps to add a new policy or update an existing policy on a connection are the same: create a new policy then apply the new policy to the connection.

$RG1          = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6  = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1

$newpolicy6   = New-AzIpsecPolicy -IkeEncryption AES128 -IkeIntegrity SHA1 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -IpsecPolicies $newpolicy6

连接到基于策略的本地 VPN 设备时,若要启用“UsePolicyBasedTrafficSelectors”,请将“-UsePolicyBaseTrafficSelectors”参数添加到 cmdlet;若要禁用该选项,请将其设置为 $False:To enable "UsePolicyBasedTrafficSelectors" when connecting to an on-premises policy-based VPN device, add the "-UsePolicyBaseTrafficSelectors" parameter to the cmdlet, or set it to $False to disable the option:

Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -IpsecPolicies $newpolicy6 -UsePolicyBasedTrafficSelectors $True

可再次获取连接,检查策略是否更新。You can get the connection again to check if the policy is updated.

$connection6  = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.IpsecPolicies

最后一行应会显示输出,如以下示例所示:You should see the output from the last line, as shown in the following example:

SALifeTimeSeconds   : 14400
SADataSizeKilobytes : 102400000
IpsecEncryption     : AES256
IpsecIntegrity      : SHA256
IkeEncryption       : AES128
IkeIntegrity        : SHA1
DhGroup             : DHGroup14
PfsGroup            : None

3.删除连接的 IPsec/IKE 策略3. Remove an IPsec/IKE policy from a connection

从连接中删除自定义策略后,Azure VPN 网关会还原为默认的 IPsec/IKE 提议列表,并再次与本地 VPN 设备重新协商。Once you remove the custom policy from a connection, the Azure VPN gateway reverts back to the default list of IPsec/IKE proposals and renegotiates again with your on-premises VPN device.

$RG1           = "TestPolicyRG1"
$Connection16  = "VNet1toSite6"
$connection6   = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1

$currentpolicy = $connection6.IpsecPolicies[0]
$connection6.IpsecPolicies.Remove($currentpolicy)

Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6

可使用相同脚本来检查是否已删除连接的策略。You can use the same script to check if the policy has been removed from the connection.

后续步骤Next steps

如需基于策略的流量选择器的更多详细信息,请参阅连接多个基于策略的本地 VPN 设备See Connect multiple on-premises policy-based VPN devices for more details regarding policy-based traffic selectors.

连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 请参阅 创建虚拟机 以获取相关步骤。See Create a Virtual Machine for steps.