Upgrading The IPsec/ IKE Policy To The Azure Site-To-Site VPN Connection Using The Azure Portal

Introduction

 
In our previous article we learned how to upgrade the IPsec/IKE policy to the Azure Site-to-Site VPN Connection using PowerShell. In this article, we are going to learn how to configure an IPsec/IKE policy for site-to-site (S2S) VPN connections using the Azure Portal.
 
Step 1
 
Before upgrading the connection, please verify that the following steps are configured in the Azure portal.
  • Virtual Network
  • Gateway subnet
  • VPN Gateway
  • Local Network Gateway
  • VPN connection
If you are not configuring the VPN setup please follow this link to learn about Implementing Azure Site To Site VPN.
 
Step 2
 
In the Azure Portal, go to the correct “Resource group” and then open the “VPN Connection”.
 
In this demo our Connection name is “Site2-to-Site1”
 
Upgrading The IPsec/ IKE Policy To The Azure Site-To-Site VPN Connection Using The Azure Portal
 
Step 3
 
Make sure that the connection is up and running with any issue
 
Upgrading The IPsec/ IKE Policy To The Azure Site-To-Site VPN Connection Using The Azure Portal
 
Step 4
 
Go to the “Configuration” under the Settings.
 
Upgrading The IPsec/ IKE Policy To The Azure Site-To-Site VPN Connection Using The Azure Portal
 
Step 5
 
Configuration settings, select the IPsec / IKE policy to “Custom”, now we enter the IKE Phase 1 and IKE Phase 2 (IPsec) parameters.
 
Upgrading The IPsec/ IKE Policy To The Azure Site-To-Site VPN Connection Using The Azure Portal
 
Click here to learn more details about supported cryptographic algorithms and key strengths.
 
Step 6
 
Now we are going to enter the parameters for the IKE Phase 1 and IKE Phase 2 (IPsec). in this demo we are going to enter the below parameters.
  1. IKE Phase 1
    1. Encryption – AES256
    2. Integrity/PRF – SHA256
    3. DH Group – DHGroup2
  2. IKE Phase 2 (IPsec)
    1. IPsec Encryption – AES256
    2. IPsec Integrity – SHA256
    3. PFS Group – PFS2
  3. IPsec SA lifetime in KiloBytes – 102400000
  4. IPsec SA lifetime in seconds – 28800
Step 7
 
After entering the parameters click “Save”.
 
Upgrading The IPsec/ IKE Policy To The Azure Site-To-Site VPN Connection Using The Azure Portal
 
Note
Policy-based Traffic Selectors are not supported in Azure Stack Hub.
 
Important
 
Once the IPsec/IKE policy is upgraded to the connection, the Azure VPN gateway will only send or accept the IPsec/IKE proposal with specified cryptographic algorithms and key strengths on that particular connection. Make sure your on-premises VPN device for the connection uses or accepts the exact policy combination, otherwise the S2S VPN tunnel will not establish.
 

Summary

 
In this article, we have learned how to upgrade the VPN Connection parameters using the Azure Portal. In our previous article we learned to upgrade the VPN Connection parameters using the PowerShell commands. If you have any questions feel free to contact me.