A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This article applies to the Resource Manager deployment model and talks about ways to overcome the 128 concurrent connection limit of SSTP by transitioning to OpenVPN protocol or IKEv2.
What protocol does P2S use?
A client implementation of Secure Socket Tunneling Protocol (SSTP) for Linux / Mac OS-X that allows remote access via SSTP VPN to Microsoft Windows 2008 Server. Jan 31, 2019 Whether it's for work or personal use, you can connect to a virtual private network (VPN) on your Windows 10 PC. A VPN connection can help provide a more secure connection to your company's network and the internet, for example, if you’re working from a coffee shop or similar public place. Mar 03, 2015 iSSTP - a SSTP Client for Mac OSX. This is a sstp GUI client for Mac, use a modified sstp-client as backend which support server-name TLS extension. Some servers(ex:.vpnazure.net) require server-name, otherwise the sstp connection will be rejected. Sep 26, 2017 P2S VPN for Macs and AD Domain authentication for P2S VPN is now generally available through Azure Networking. Customers will be able to connect to Azure Virtual Networks over P2S VPN from their Mac machines using the native IKEv2 VPN client. What is SSTP? Secure Socket Tunneling Protocol (SSTP) is a secure protocol used in VPN tunneling. The protocol, though owned by Microsoft, is available to both Linux and Mac users. SSTP uses SSL/TLS (Secure Socket Layer/Transport Layer Security) channel over TCP 443 port. Jan 31, 2019 Whether it's for work or personal use, you can connect to a virtual private network (VPN) on your Windows 10 PC. A VPN connection can help provide a more secure connection to your company's network and the internet, for example, if you’re working from a coffee shop or similar public place.
Point-to-site VPN can use one of the following protocols:
OpenVPN® Protocol, an SSL/TLS based VPN protocol. An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (OSX versions 10.13 and above).
Secure Socket Tunneling Protocol (SSTP), a proprietary SSL-based VPN protocol. An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP (Windows 7 and later). SSTP supports up to 128 concurrent connections only regardless of the gateway SKU.
IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).
Note
IKEv2 and OpenVPN for P2S are available for the Resource Manager deployment model only. They are not available for the classic deployment model. Basic gateway SKU does not support IKEv2 or OpenVPN protocols. If you are using the basic SKU, you will have to delete and recreate a production SKU Virtual Network Gateway.
Migrating from SSTP to IKEv2 or OpenVPN
There may be cases when you want to support more than 128 concurrent P2S connection to a VPN gateway but are using SSTP. In such a case, you need to move to IKEv2 or OpenVPN protocol.
Option 1 - Add IKEv2 in addition to SSTP on the Gateway
This is the simplest option. SSTP and IKEv2 can coexist on the same gateway and give you a higher number of concurrent connections. You can simply enable IKEv2 on the existing gateway and redownload the client.
Adding IKEv2 to an existing SSTP VPN gateway will not affect existing clients and you can configure them to use IKEv2 in small batches or just configure the new clients to use IKEv2. If a Windows client is configured for both SSTP and IKEv2, it will try to connect using IKEV2 first and if that fails, it will fall back to SSTP.
IKEv2 uses non-standard UDP ports so you need to ensure that these ports are not blocked on the user's firewall. The ports in use are UDP 500 and 4500.
To add IKEv2 to an existing gateway, simply go to the 'point-to-site configuration' tab under the Virtual Network Gateway in portal, and select IKEv2 and SSTP (SSL) from the drop-down box.
Option 2 - Remove SSTP and enable OpenVPN on the Gateway
Since SSTP and OpenVPN are both TLS-based protocol, they cannot coexist on the same gateway. If you decide to move away from SSTP to OpenVPN, you will have to disable SSTP and enable OpenVPN on the gateway. This operation will cause the existing clients to lose connectivity to the VPN gateway until the new profile has been configured on the client.
You can enable OpenVPN along side with IKEv2 if you desire. OpenVPN is TLS-based and uses the standard TCP 443 port. To switch to OpenVPN, go to the 'point-to-site configuration' tab under the Virtual Network Gateway in portal, and select OpenVPN (SSL) or IKEv2 and OpenVPN (SSL) from the drop-down box.
Once the gateway has been configured, existing clients will not be able to connect until you deploy and configure the OpenVPN Clients.
If you are using Windows 10, you can also use the Azure VPN Client for Windows
Frequently asked questions
What are the client configuration requirements?
Note
For Windows clients, you must have administrator rights on the client device in order to initiate the VPN connection from the client device to Azure.
Users use the native VPN clients on Windows and Mac devices for P2S. Azure provides a VPN client configuration zip file that contains settings required by these native clients to connect to Azure.
- For Windows devices, the VPN client configuration consists of an installer package that users install on their devices.
- For Mac devices, it consists of the mobileconfig file that users install on their devices.
The zip file also provides the values of some of the important settings on the Azure side that you can use to create your own profile for these devices. Some of the values include the VPN gateway address, configured tunnel types, routes, and the root certificate for gateway validation.
Note
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections will not be affected. If you’re using TLS for point-to-site VPNs on Windows 10 clients, you don’t need to take any action. If you are using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.
Which gateway SKUs support P2S VPN?
VPN Gateway Generation | SKU | S2S/VNet-to-VNet Tunnels | P2S SSTP Connections | P2S IKEv2/OpenVPN Connections | Aggregate Throughput Benchmark | BGP | Zone-redundant |
---|---|---|---|---|---|---|---|
Generation1 | Basic | Max. 10 | Max. 128 | Not Supported | 100 Mbps | Not Supported | No |
Generation1 | VpnGw1 | Max. 30* | Max. 128 | Max. 250 | 650 Mbps | Supported | No |
Generation1 | VpnGw2 | Max. 30* | Max. 128 | Max. 500 | 1 Gbps | Supported | No |
Generation1 | VpnGw3 | Max. 30* | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | No |
Generation1 | VpnGw1AZ | Max. 30* | Max. 128 | Max. 250 | 650 Mbps | Supported | Yes |
Generation1 | VpnGw2AZ | Max. 30* | Max. 128 | Max. 500 | 1 Gbps | Supported | Yes |
Generation1 | VpnGw3AZ | Max. 30* | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | Yes |
Generation2 | VpnGw2 | Max. 30* | Max. 128 | Max. 500 | 1.25 Gbps | Supported | No |
Generation2 | VpnGw3 | Max. 30* | Max. 128 | Max. 1000 | 2.5 Gbps | Supported | No |
Generation2 | VpnGw4 | Max. 30* | Max. 128 | Max. 5000 | 5 Gbps | Supported | No |
Generation2 | VpnGw5 | Max. 30* | Max. 128 | Max. 10000 | 10 Gbps | Supported | No |
Generation2 | VpnGw2AZ | Max. 30* | Max. 128 | Max. 500 | 1.25 Gbps | Supported | Yes |
Generation2 | VpnGw3AZ | Max. 30* | Max. 128 | Max. 1000 | 2.5 Gbps | Supported | Yes |
Generation2 | VpnGw4AZ | Max. 30* | Max. 128 | Max. 5000 | 5 Gbps | Supported | Yes |
Generation2 | VpnGw5AZ | Max. 30* | Max. 128 | Max. 10000 | 10 Gbps | Supported | Yes |
(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.
Microsoft Sstp Vpn
The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. The Basic SKU is a legacy SKU and has feature limitations. In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.
These connection limits are separate. For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.
Pricing information can be found on the Pricing page.
SLA (Service Level Agreement) information can be found on the SLA page.
On a single tunnel a maximum of 1 Gbps throughput can be achieved. Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.
To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. The table below lists the results of performance tests for Generation 1, VpnGw SKUs. As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.
Generation | SKU | Algorithms used | Throughput observed | Packets per second observed |
---|---|---|---|---|
Generation1 | VpnGw1 | GCMAES256 AES256 & SHA256 DES3 & SHA256 | 650 Mbps 500 Mbps 120 Mbps | 58,000 50,000 50,000 |
Generation1 | VpnGw2 | GCMAES256 AES256 & SHA256 DES3 & SHA256 | 1 Gbps 500 Mbps 120 Mbps | 90,000 80,000 55,000 |
Generation1 | VpnGw3 | GCMAES256 AES256 & SHA256 DES3 & SHA256 | 1.25 Gbps 550 Mbps 120 Mbps | 105,000 90,000 60,000 |
Generation1 | VpnGw1AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 | 650 Mbps 500 Mbps 120 Mbps | 58,000 50,000 50,000 |
Generation1 | VpnGw2AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 | 1 Gbps 500 Mbps 120 Mbps | 90,000 80,000 55,000 |
Generation1 | VpnGw3AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 | 1.25 Gbps 550 Mbps 120 Mbps | 105,000 90,000 60,000 |
- For Gateway SKU recommendations, see About VPN Gateway settings.
Note
The Basic SKU does not support IKEv2 or RADIUS authentication.
What IKE/IPsec policies are configured on VPN gateways for P2S?
IKEv2
Cipher | Integrity | PRF | DH Group |
---|---|---|---|
GCM_AES256 | GCM_AES256 | SHA384 | GROUP_24 |
GCM_AES256 | GCM_AES256 | SHA384 | GROUP_14 |
GCM_AES256 | GCM_AES256 | SHA384 | GROUP_ECP384 |
GCM_AES256 | GCM_AES256 | SHA384 | GROUP_ECP256 |
GCM_AES256 | GCM_AES256 | SHA256 | GROUP_24 |
GCM_AES256 | GCM_AES256 | SHA256 | GROUP_14 |
GCM_AES256 | GCM_AES256 | SHA256 | GROUP_ECP384 |
GCM_AES256 | GCM_AES256 | SHA256 | GROUP_ECP256 |
AES256 | SHA384 | SHA384 | GROUP_24 |
AES256 | SHA384 | SHA384 | GROUP_14 |
AES256 | SHA384 | SHA384 | GROUP_ECP384 |
AES256 | SHA384 | SHA384 | GROUP_ECP256 |
AES256 | SHA256 | SHA256 | GROUP_24 |
AES256 | SHA256 | SHA256 | GROUP_14 |
AES256 | SHA256 | SHA256 | GROUP_ECP384 |
AES256 | SHA256 | SHA256 | GROUP_ECP256 |
AES256 | SHA256 | SHA256 | GROUP_2 |
IPsec
Cipher | Integrity | PFS Group |
---|---|---|
GCM_AES256 | GCM_AES256 | GROUP_NONE |
GCM_AES256 | GCM_AES256 | GROUP_24 |
GCM_AES256 | GCM_AES256 | GROUP_14 |
GCM_AES256 | GCM_AES256 | GROUP_ECP384 |
GCM_AES256 | GCM_AES256 | GROUP_ECP256 |
AES256 | SHA256 | GROUP_NONE |
AES256 | SHA256 | GROUP_24 |
AES256 | SHA256 | GROUP_14 |
AES256 | SHA256 | GROUP_ECP384 |
AES256 | SHA256 | GROUP_ECP256 |
AES256 | SHA1 | GROUP_NONE |
What TLS policies are configured on VPN gateways for P2S?
TLS
Policies |
---|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
Mac Sstp Vpn Client
How do I configure a P2S connection?
A P2S configuration requires quite a few specific steps. The following articles contain the steps to walk you through P2S configuration, and links to configure the VPN client devices:
Next steps
'OpenVPN' is a trademark of OpenVPN Inc.
-->VPN client configuration files are contained in a zip file. Configuration files provide the settings required for a native Windows, Mac IKEv2 VPN, or Linux clients to connect to a virtual network over Point-to-Site connections that use native Azure certificate authentication.
Client configuration files are specific to the VPN configuration for the virtual network. If there are any changes to the Point-to-Site VPN configuration after you generate the VPN client configuration files, such as the VPN protocol type or authentication type, be sure to generate new VPN client configuration files for your user devices.
- For more information about Point-to-Site connections, see About Point-to-Site VPN.
- For OpenVPN instructions, see Configure OpenVPN for P2S and Configure OpenVPN clients.
Important
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections will not be affected. If you’re using TLS for point-to-site VPNs on Windows 10 clients, you don’t need to take any action. If you are using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.
Generate VPN client configuration files
Before you begin, make sure that all connecting users have a valid certificate installed on the user's device. For more information about installing a client certificate, see Install a client certificate.
You can generate client configuration files using PowerShell, or by using the Azure portal. Either method returns the same zip file. Unzip the file to view the following folders:
- WindowsAmd64 and WindowsX86, which contain the Windows 32-bit and 64-bit installer packages, respectively. The WindowsAmd64 installer package is for all supported 64-bit Windows clients, not just Amd.
- Generic, which contains general information used to create your own VPN client configuration. The Generic folder is provided if IKEv2 or SSTP+IKEv2 was configured on the gateway. If only SSTP is configured, then the Generic folder is not present.
Generate files using the Azure portal
In the Azure portal, navigate to the virtual network gateway for the virtual network that you want to connect to.
On the virtual network gateway page, click Point-to-site configuration.
At the top of the Point-to-site configuration page, click Download VPN client. It takes a few minutes for the client configuration package to generate.
Your browser indicates that a client configuration zip file is available. It is named the same name as your gateway. Unzip the file to view the folders.
Generate files using PowerShell
When generating VPN client configuration files, the value for '-AuthenticationMethod' is 'EapTls'. Generate the VPN client configuration files using the following command:
Copy the URL to your browser to download the zip file, then unzip the file to view the folders.
Windows
You can use the same VPN client configuration package on each Windows client computer, as long as the version matches the architecture for the client. For the list of client operating systems that are supported, see the Point-to-Site section of the VPN Gateway FAQ.
Sstp Vpn Iphone
Note
You must have Administrator rights on the Windows client computer from which you want to connect.
Use the following steps to configure the native Windows VPN client for certificate authentication:
Mar 19, 2020 Quit the remote desktop program on Mac and hold the option key. Now click on the Go menu to enable the library and select the user’s that. Now navigate into containers folder and copy com.microsoft.rdc.macos and com.microsoft.rdc.mac and paste it on a different location. Microsoft remote desktop 10 mac error code 0x4 7.
Sstp Client For Mac
- Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.
- Double-click the package to install it. If you see a SmartScreen popup, click More info, then Run anyway.
- On the client computer, navigate to Network Settings and click VPN. The VPN connection shows the name of the virtual network that it connects to.
- Before you attempt to connect, verify that you have installed a client certificate on the client computer. A client certificate is required for authentication when using the native Azure certificate authentication type. For more information about generating certificates, see Generate Certificates. For information about how to install a client certificate, see Install a client certificate.
Mac (OS X)
You have to manually configure the native IKEv2 VPN client on every Mac that will connect to Azure. Azure does not provide mobileconfig file for native Azure certificate authentication. The Generic contains all of the information that you need for configuration. If you don't see the Generic folder in your download, it's likely that IKEv2 was not selected as a tunnel type. Note that the VPN gateway Basic SKU does not support IKEv2. Once IKEv2 is selected, generate the zip file again to retrieve the Generic folder.
The Generic folder contains the following files:
- VpnSettings.xml, which contains important settings like server address and tunnel type.
- VpnServerRoot.cer, which contains the root certificate required to validate the Azure VPN Gateway during P2S connection setup.
Use the following steps to configure the native VPN client on Mac for certificate authentication. You have to complete these steps on every Mac that will connect to Azure:
Import the VpnServerRoot root certificate to your Mac. This can be done by copying the file over to your Mac and double-clicking on it. Click Add to import.
Note
Double-clicking on the certificate may not display the Add dialog, but the certificate is installed in the correct store. You can check for the certificate in the login keychain under the certificates category.
Verify that you have installed a client certificate that was issued by the root certificate that you uploaded to Azure when you configured you P2S settings. This is different from the VPNServerRoot that you installed in the previous step. The client certificate is used for authentication and is required. For more information about generating certificates, see Generate Certificates. For information about how to install a client certificate, see Install a client certificate.
Open the Network dialog under Network Preferences and click '+' to create a new VPN client connection profile for a P2S connection to the Azure virtual network.
The Interface value is 'VPN' and VPN Type value is 'IKEv2'. Specify a name for the profile in the Service Name field, then click Create to create the VPN client connection profile.
In the Generic folder, from the VpnSettings.xml file, copy the VpnServer tag value. Paste this value in the Server Address and Remote ID fields of the profile.
Click Authentication Settings and select Certificate. For Catalina, click None and then certificate
- For Catalina, select None and then Certificate. Select the correct certificate:
Click Select… to choose the client certificate that you want to use for authentication. This is the certificate that you installed in Step 2.
Choose An Identity displays a list of certificates for you to choose from. Select the proper certificate, then click Continue.
In the Local ID field, specify the name of the certificate (from Step 6). In this example, it is 'ikev2Client.com'. Then, click Apply button to save the changes.
On the Network dialog, click Apply to save all changes. Then, click Connect to start the P2S connection to the Azure virtual network.
Linux (strongSwan GUI)
Install strongSwan
The following configuration was used for the steps below:
Free Vpn
Computer | Ubuntu Server 18.04 |
Dependencies | strongSwan |
Use the following commands to install the required strongSwan configuration:
Use the following command to install the Azure command-line interface:
Generate certificates
If you have not already generated certificates, use the following steps:
Generate the CA certificate.
Print the CA certificate in base64 format. This is the format that is supported by Azure. You upload this certificate to Azure as part of the P2S configuration steps.
Generate the user certificate.
Generate a p12 bundle containing the user certificate. This bundle will be used in the next steps when working with the client configuration files.
Install and configure
The following instructions were created on Ubuntu 18.0.4. Ubuntu 16.0.10 does not support strongSwan GUI. If you want to use Ubuntu 16.0.10, you will have to use the command line. The examples below may not match screens that you see, depending on your version of Linux and strongSwan.
Open the Terminal to install strongSwan and its Network Manager by running the command in the example.
Select Settings, then select Network.
Click the + button to create a new connection.
Select IPsec/IKEv2 (strongSwan) from the menu, and double-click. You can name your connection in this step.
Open the VpnSettings.xml file from the Generic folder contained in the downloaded client configuration files. Find the tag called VpnServer and copy the name, beginning with 'azuregateway' and ending with '.cloudapp.net'.
Paste this name into the Address field of your new VPN connection in the Gateway section. Next, select the folder icon at the end of the Certificate field, browse to the Generic folder, and select the VpnServerRoot file.
In the Client section of the connection, for Authentication, select Certificate/private key. For Certificate and Private key, choose the certificate and the private key that were created earlier. In Options, select Request an inner IP address. Then, click Add.
Turn the connection On.
Linux (strongSwan CLI)
Install strongSwan
The following configuration was used for the steps below:
Computer | Ubuntu Server 18.04 |
Dependencies | strongSwan |
Use the following commands to install the required strongSwan configuration:
Use the following command to install the Azure command-line interface:
Generate certificates
If you have not already generated certificates, use the following steps:
Generate the CA certificate.
Print the CA certificate in base64 format. This is the format that is supported by Azure. You upload this certificate to Azure as part of the P2S configuration steps.
Generate the user certificate.
Generate a p12 bundle containing the user certificate. This bundle will be used in the next steps when working with the client configuration files.
Install and configure
Download the VPNClient package from Azure portal.
Extract the File.
From the Generic folder, copy or move the VpnServerRoot.cer to /etc/ipsec.d/cacerts.
Copy or move cp client.p12 to /etc/ipsec.d/private/. This file is client certificate for Azure VPN Gateway.
Open VpnSettings.xml file and copy the
<VpnServer>
value. You will use this value in the next step.Adjust the values in the example below, then add the example to the /etc/ipsec.conf configuration.
Add the following to /etc/ipsec.secrets.
Run the following commands:
Next steps
Return to the article to complete your P2S configuration.
To troubleshoot P2S connections, see the following articles: