3.1.3. IPsec/IKE Configuration

IPsec VPN uses two phases: IKE (key exchange) and IPsec (data encryption). Understanding these helps you troubleshoot connection failures and meet compliance requirements.

IKE/IPsec Tunnel Establishment:

IKE Phase 1 (Main Mode):

• Authenticates the peers (pre-shared key or certificate)
• Negotiates encryption (AES-256, AES-128, etc.)
• Negotiates integrity (SHA-256, SHA-1, etc.)
• Establishes Diffie-Hellman group for key exchange

IKE Phase 2 (Quick Mode):

• Negotiates IPsec encryption and integrity
• Establishes security associations (SAs)
• Defines traffic selectors (what traffic to encrypt)

Custom IPsec/IKE Policies: Azure defaults work for most scenarios, but compliance may require specific algorithms:

# Example: High-security custom policy
IKE Phase 1: AES256, SHA384, DHGroup24
IKE Phase 2: GCMAES256, PFS24
SA Lifetime: 28800 seconds (8 hours)

Connection troubleshooting checklist:

1. Pre-shared keys match exactly (case-sensitive!)
2. Traffic selectors align (on-premises and Azure agree on subnets)
3. IKE/IPsec proposals overlap (at least one common algorithm)
4. On-premises firewall allows UDP 500, 4500 and ESP (protocol 50)

⚠️ Exam Trap: If a VPN connection shows "Connected" in Azure but traffic doesn't flow, check traffic selectors. Azure's local network gateway prefixes must match what the on-premises device expects.