Azure Site to Site VPN required Device configuration parameters

  • Article

Whether you Selected IKEv1 or IKEv2 the following settings needs to be configurable with the following values:

Methods of Encryption and Integrity

Two parameters are decided during the negotiation:

  • Encryption algorithm
  • Hash algorithm

Parameter

IKE Phase 1 (IKE SA)

IKE PHASE 2 (IPSec SA)

Encryption
  • AES-128
  • AES-256(Required)
  • 3DES
  • DES
  • CAST (IKEv1 only)
  • AES-128
  • AES-256 (Required)
  • 3DES
  • DES
  • DES-40CP (IKEv1 only)
  • CAST (IKEv1 only)
  • CAST-40 (IKEv1 only)
  • NULL
  • AES-GCM-128
  • AES-GCM-256

Integrity
  • MD5
  • SHA1
  • SHA -256 (Required)
  • AES-XCBC
  • SHA -384
  • MD5
  • SHA1
  • SHA -256 (Required)
  • AES-XCBC
  • SHA -384

 

Diffie Hellman Groups

The Diffie-Hellman key computation (also known as exponential key agreement) is based on the Diffie Hellman (DH) mathematical groups. A Security Gateway supports these DH groups during the two phases of IKE.

Parameter

IKE Phase 1 (IKE SA)

IKE Phase 2 (IPSec SA)

Diffie Hellman Groups
  • Group2 (1024 bits) (Required)
  • Group1 (768 bits)
  • Group5 (1536 bits)
  • Group14 (2048 bits)
  • Group19 (256-bit ECP)
  • Group20 (384-bit ECP)
  • Group2 (1024 bits) (Required)
  • Group1 (768 bits)
  • Group5 (1536 bits)
  • Group14 (2048 bits)
  • Group19 (256-bit ECP)
  • Group20 (384-bit ECP)

 

  (Main mode is the required) vs aggressive mode

Perfect Forward Secrecy is Disabled

ESP (Encapsulating Security Payload) is required vs AH  (Authentication Header)

 

 

Ref: https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13847.htm