Example: Configuring an IPsec VPN Between a vSRX and Virtual Network Gateway in Microsoft Azure


This example shows how to configure an IPsec VPN between a vSRX instance and a virtual network gateway in Microsoft Azure.

Before You Begin

Ensure that you have installed and launched a vSRX instance in Microsoft Azure virtual network.

See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel that is down or not active for additional information.


You can use an IPsec VPN to secure traffic between two VNETs in Microsoft Azure, with one vSRX protecting one VNet and the Azure virtual network gateway protecting the other VNet.

vSRX IPsec VPN Configuration

Step-by-Step Procedure

To configure IPsec VPN on vSRX:

  1. Log in to the vSRX in configuration edit mode (see Configuring vSRX Using the CLI).
  2. Set the IP addresses for vSRX interfaces.
  3. Set up the untrust security zone.
  4. Set up the trust security zone.
  5. Configure IKE.

    Be sure to replace in this example with the correct public IP address.

  6. Configure IPsec.

    The following example illustrates a vSRX IPsec configuration using the CBC encryption algorithm:

    If required, you can use AES-GCM as the encryption algorithm in the vSRX IPsec configuration instead of CBC:

  7. Configure routing.

Microsoft Azure Virtual Network Gateway Configuration

Step-by-Step Procedure

To configure the Microsoft Azure virtual network gateway, refer to the following Microsoft Azure procedure:

Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections

Ensure the IPSec IKE parameters in Microsoft Azure virtual network gateway match the vSRX IPSec IKE parameters when the site-to-site VPN connection is formed.


Verify Active VPN Tunnels


Verify that the tunnel is up between the vSRX instance and the Azure virtual network gateway.


root@> show security ike security-associations
root@> show security ipsec security-associations