Create a Route Based Azure VPN with Custom IPsec Parameters

Using the Azure CLI

Posted by Ryan McDonald on January 07, 2020 · 5 mins read


I recently set up a VPN to a customer network that needed custom IPsec parameters. Below are the Azure CLI commands used to create the infrastructure.

The workflow for the commands is as follows:

  1. Create a virtual network and a VPN gateway
  2. Create a local network gateway for the cross-premises connection
  3. Create a connection (IPsec) with the standard IPsec/IKE policy
  4. Add an IPsec/IKE policy with selected algorithms and parameters
  5. View/remove an IPsec/IKE policy for an existing connection

Getting into the Code

For our customers, we use a three-letter abbreviation (TLA) to identify the customer. In the example below, a variable sets the TLA that is used in the naming for the resources. I’ve also included the commands to create a VNet for testing in a sandbox environment.

#set subscription - change to your subscription name
az account set --subscription "Visual Studio Enterprise"

#set TLA variable

#create resource group
az group create --location northcentralus -n rg-$tla

#create vnet - change network ranges as required
az network vnet create -g rg-$tla -n prd-$tla --address-prefix 
az network vnet subnet create -g rg-$tla --vnet-name prd-$tla -n admin --address-prefix
az network vnet subnet create -g rg-$tla --vnet-name prd-$tla -n GatewaySubnet --address-prefix

#create nsg
az network nsg create --name prd-$tla-admin-nsg --resource-group rg-$tla

#associate nsg to subnet
az network vnet subnet update --vnet-name prd-$tla --name admin --resource-group rg-$tla --network-security-group prd-$tla-admin-nsg

#pip for vpn gateway
az network public-ip create --name prd-$tla-vpn-pip --resource-group rg-$tla --allocation-method Dynamic

#create vpn gateway
az network vnet-gateway create --name prd-$tla-gw --public-ip-address prd-$tla-vpn-pip --resource-group rg-$tla --vnet prd-$tla --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait

#create local gateway - change the ip address to the remote VPN gateway's public ip and local address prefixes that are being protected
az network local-gateway create -g rg-$tla -n prd-$tla-lgw  --gateway-ip-address --local-address-prefixes

#create connection - change the shared secret key
az network vpn-connection create -g rg-$tla -n prd-$tla-vpn --vnet-gateway1 prd-$tla-gw --local-gateway2 prd-$tla-lgw  --shared-key changethiskey

At this point, you have all the required resources in place to configure the custom IPsec policy.

Configuration Dowload

Custom IPsec Configuration

For reference the default IPsec/IKE parameters for Azure connections are as follows:

  • IKE version: IKEv2
    • Encryption algorithm: aes-cbc-256
    • Integrityalgorithm: sha1
    • Diffie-Hellman group: 2
    • SA lifetime (seconds): 3600
    • Pre-shared key:
    • UsePolicyBasedTS: False
  • IPsec
    • Encryption algorithm: esp-gcm 256
    • Integrity algorithm:
    • PFS Group: none
    • SA lifetime (seconds): 3600

You can download the configuration from the Connection in Azure.

Configuration Dowload

To create the custom policy, use the following command:

#create custom ipsec policy - change as required
az network vpn-connection ipsec-policy add -g rg-$tla --connection-name prd-$tla-vpn \
    --dh-group DHGroup14 --ike-encryption AES256 --ike-integrity SHA256 --ipsec-encryption GCMAES256 \
    --ipsec-integrity GCMAES256 --pfs-group PFS14 --sa-lifetime 3600 --sa-max-size 1024

This example creates a custom connection with Diffie-Hellman group to 14, and the IKE Integrity algorithm set to sha256.

The Azure documentation has a full list of supported cryptographic algorithms and key strengths.

To view the current IPsec policy run the following command:

#vpn ipsec list
az network vpn-connection ipsec-policy list -g rg-$tla --connection-name prd-$tla-vpn

Policy List output

To clear the IPsec policy and reset it back to default, run the following command:

#clear custom ipsec policy
az network vpn-connection ipsec-policy clear -g rg-$tla --connection-name prd-$tla-vpn

Wrapping Up

As you can see from the commands, it’s pretty straightforward to configure a custom IPsec policy. The CLI commands make quick work of configuring the infrastructure and IPsec policy.

Click here to download all of the commands in one AZCLI file.


Photo by Sander Weeteling on Unsplash.