Dave Rendón Microsoft Azure MVP, embracing and fostering tech intensity to benefit society and thrive in a digital world.

Solution: Site-to-Site Vnet gateway with steady connections

2 min read

Site-to-Site Vnet gateway with steady connections

I will show you a workaround on how to solve Site-to-Site Vnet gateway with steady connections. Azure virtual networks can be in the same or different regions, and from the same or different subscriptions.

When connecting Vnets from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.

On the other hand, Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.

This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

This is a very common scenario when you try to connect from an on-premises location to Azure using a 3rd party networking appliance.


Site-to-Site vnet gateway with steady connections


Keep in mind:

  • 1 vnet = 1 gateway
  • Gateway Type = Static Routing = PolicyBased = 1 connection
  • Gateway Type = Dynamic Routing = Route Based = 10 Conenctions
  • You can use Policy Based Gateway to connect the devices which are not yet validated.


IKE diagnostic event:, Failure type: IKE/Authip Main Mode Failure, Failure error code:0x000035ed, Negotiation timed out, , Failure point: Local, Keying module type: IKEv2, MM State: Initial state, no packets sent, MM SA role: Initiator, MM auth method: Unknown, 0000000000000000000000000000000000000000, MM ID: 0x0000000000000020


Azure now supports multiple VPN gateways for a Vnet however you need to consider:

  • You are not creating an ExpressRoute/S2S coexisting connection.
  • The virtual network gateway for your VNet is RouteBased. If you have a PolicyBased VPN gateway, you must delete the virtual network gateway and create a new VPN gateway as RouteBased.
  • None of the address ranges overlap for any of the VNets that this VNet is connecting to.

Create a custom Custom IPsec/IKE policy, be sure to verify the Gateway Type your Appliance supports.

The following table shows you the IPSec/IKEv2 options:

IPsec/IKEv2 Options
IKEv2 Encryption AES256, AES192, AES128, DES3, DES
IKEv2 Integrity SHA384, SHA256, SHA1, MD5
DH Group DHGroup24, ECP384, ECP256, DHGroup14 (DHGroup2048), DHGroup2, DHGroup1, None
IPsec Encryption GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None
IPsec Integrity GCMAES256, GCMAES192, GCMAES128, SHA256, SHA1, MD5
PFS Group PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None
QM SA Lifetime Seconds (integer; min. 300/default 27000 seconds)
KBytes (integer; min. 1024/default 102400000 KBytes)
Traffic Selector UsePolicyBasedTrafficSelectors ($True/$False; default $False)

The links to configuration instructions are provided on a best-effort basis. For VPN device support, contact your device manufacturer.

Vendor Device family Minimum OS version PolicyBased configuration instructions RouteBased configuration instructions
A10 Networks, Inc. Thunder CFW ACOS 4.1.1 Not compatible Configuration guide
Allied Telesis AR Series VPN Routers 2.9.2 Coming soon Not compatible
Barracuda Networks, Inc. Barracuda NextGen Firewall F-series PolicyBased: 5.4.3
RouteBased: 6.2.0
Configuration guide Configuration guide
Barracuda Networks, Inc. Barracuda NextGen Firewall X-series Barracuda Firewall 6.5 Configuration guide Not compatible
Brocade Vyatta 5400 vRouter Virtual Router 6.6R3 GA Configuration guide Not compatible
Check Point Security Gateway R77.30 Configuration guide Configuration guide
Cisco ASA 8.3
8.4+ (IKEv2*)
Configuration samples Configuration guide*
Cisco ASR PolicyBased: IOS 15.1
RouteBased: IOS 15.2
Configuration samples Configuration samples
Cisco ISR PolicyBased: IOS 15.0
RouteBased*: IOS 15.1
Configuration samples Configuration samples**
Cisco Meraki N/A Not compatible Not compatible
Citrix NetScaler MPX, SDX, VPX 10.1 and above Configuration guide Not compatible
F5 BIG-IP series 12.0 Configuration guide Configuration guide
Fortinet FortiGate FortiOS 5.6 Configuration guide
Internet Initiative Japan (IIJ) SEIL Series SEIL/X 4.60
SEIL/B1 4.60
SEIL/x86 3.20
Configuration guide Not compatible
Juniper SRX PolicyBased: JunOS 10.2
Routebased: JunOS 11.4
Configuration samples Configuration samples
Juniper J-Series PolicyBased: JunOS 10.4r9
RouteBased: JunOS 11.4
Configuration samples Configuration samples
Juniper ISG ScreenOS 6.3 Configuration samples Configuration samples
Juniper SSG ScreenOS 6.2 Configuration samples Configuration samples
Microsoft Routing and Remote Access Service Windows Server 2012 Not compatible Configuration samples
Open Systems AG Mission Control Security Gateway N/A Configuration guide Not compatible
Palo Alto Networks All devices running PAN-OS PAN-OS
PolicyBased: 6.1.5 or later
RouteBased: 7.1.4
Configuration guide Configuration guide
ShareTech Next Generation UTM (NU series) Not compatible Configuration guide
SonicWall TZ Series, NSA Series
SuperMassive Series
E-Class NSA Series
SonicOS 5.8.x
SonicOS 5.9.x
SonicOS 6.x
Not compatible Configuration guide
Sophos XG Next Gen Firewall XG v17 Configuration guide
WatchGuard All Fireware XTM
PolicyBased: v11.11.x
RouteBased: v11.12.x
Configuration guide Configuration guide


Dave Rendón Microsoft Azure MVP, embracing and fostering tech intensity to benefit society and thrive in a digital world.

Leave a Reply

Your email address will not be published. Required fields are marked *