Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Configure an IPsec VPN Between a vSRX and Virtual Network Gateway in Microsoft Azure

This example shows how to configure an IPsec VPN between a vSRX instance and a virtual network gateway in Microsoft Azure.

Before You Begin

Ensure that you have installed and launched a vSRX instance in Microsoft Azure virtual network.

See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel that is down or not active for additional information.


You can use an IPsec VPN to secure traffic between two VNETs in Microsoft Azure, with one vSRX protecting one VNet and the Azure virtual network gateway protecting the other VNet.

vSRX IPsec VPN Configuration


Step-by-Step Procedure

To configure IPsec VPN on vSRX:

  1. Log in to the vSRX in configuration edit mode (see Configure vSRX Using the CLI).

  2. Set the IP addresses for vSRX interfaces.

  3. Set up the untrust security zone.

  4. Set up the trust security zone.

  5. Configure IKE.


    Be sure to replace in this example with the correct public IP address.

  6. Configure IPsec.

    The following example illustrates a vSRX IPsec configuration using the CBC encryption algorithm:

    If required, you can use AES-GCM as the encryption algorithm in the vSRX IPsec configuration instead of CBC:

  7. Configure routing.

Microsoft Azure Virtual Network Gateway Configuration


Step-by-Step Procedure

  1. To configure the Microsoft Azure virtual network gateway, refer to the following Microsoft Azure procedure:

    Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections

    Ensure the IPSec IKE parameters in Microsoft Azure virtual network gateway match the vSRX IPSec IKE parameters when the site-to-site VPN connection is formed.

  2. Verify Active VPN Tunnels.

    Verify that the tunnel is up between the vSRX instance and the Azure virtual network gateway.