Documente Academic
Documente Profesional
Documente Cultură
Environment
Microsofts Dynamic Routing only requires you to have IP address ranges for each of the local
network sites that youll be connecting to Azure. It is a route-based VPN connection that uses IP
address ranges defined on both gateways and IKEv2 to automatically negotiate the supported
routing prefixes. This is known as traffic selector negotiation under the IKEv2 RFC and PAN-OS
uses Proxy IDs to configure the IP address ranges.
Generated on 2015-06-23-07:00
1
Configuring IKEv2 for Microsoft Azure Environment
For the PAN-OS IKEv2 Crypto Profile, you must select a combination of Microsoft Azure supported
crypto parameters as stated in Microsofts IPSec Parameters (see first reference link above). Our
example used the following IKE, IPSec, and crypto profile parameters. Note: Public IP addresses
were changed for the purpose of this example.
Generated on 2015-06-23-07:00
2
Configuring IKEv2 for Microsoft Azure Environment
By default, Microsoft disables pfs support. To enable perfect forward security, manually enable
it on the tunnel via the Microsoft PowerShell cmdlet:
Set-AzureVNetGatewayIPsecParameters -VNetName VnetNameHere -LocalNetworkSiteName
OnPremNetworkNameHere -pfsGroup 1
If you enable pfs, you should select DH Group 1 on the PAN-OS firewalls tunnel crypto profile.
You can also filter on the system log for the vpn type to see the IKE negotiation messages. For
Microsoft Azures VPN connection status, please refer to the Microsoft references stated above.
Generated on 2015-06-23-07:00
3