Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Configure an IPsec VPN Between a vSRX Virtual Firewall and Virtual Network Gateway in Microsoft Azure

This example shows how to configure an IPsec VPN between a vSRX Virtual Firewall instance and a virtual network gateway in Microsoft Azure.

Before You Begin

Ensure that you have installed and launched a vSRX Virtual Firewall instance in Microsoft Azure virtual network.

See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel that is down or not active for additional information.


You can use an IPsec VPN to secure traffic between two VNETs in Microsoft Azure, with one vSRX Virtual Firewall protecting one VNet and the Azure virtual network gateway protecting the other VNet.

vSRX Virtual Firewall IPsec VPN Configuration


Step-by-Step Procedure

To configure IPsec VPN on vSRX Virtual Firewall:

  1. Log in to the vSRX Virtual Firewall in configuration edit mode (see Configure vSRX Using the CLI).

  2. Set the IP addresses for vSRX Virtual Firewall interfaces.

  3. Set up the untrust security zone.

  4. Set up the trust security zone.

  5. Configure IKE.


    Be sure to replace in this example with the correct public IP address.

  6. Configure IPsec.

    The following example illustrates a vSRX Virtual Firewall IPsec configuration using the CBC encryption algorithm:

    If required, you can use AES-GCM as the encryption algorithm in the vSRX Virtual Firewall IPsec configuration instead of CBC:

  7. Configure routing.

Microsoft Azure Virtual Network Gateway Configuration


Step-by-Step Procedure

  1. To configure the Microsoft Azure virtual network gateway, refer to the following Microsoft Azure procedure:

    Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections

    Ensure the IPSec IKE parameters in Microsoft Azure virtual network gateway match the vSRX Virtual Firewall IPSec IKE parameters when the site-to-site VPN connection is formed.

  2. Verify Active VPN Tunnels.

    Verify that the tunnel is up between the vSRX Virtual Firewall instance and the Azure virtual network gateway.