Describes how to configure a Non SD-WAN Destination of type Microsoft Azure Virtual Hub via Edge in SD-WAN Orchestrator.
To configure a Non SD-WAN Destination of type Microsoft Azure Virtual Hub via Edge in SD-WAN Orchestrator:
- Ensure you have configured a Cloud subscription. For steps, see Configure a Cloud Subscription Network Service.
- Ensure you have created Virtual WAN and Hubs in Azure. For steps, see Configure Azure Virtual WAN for Branch-to-Azure VPN Connectivity.
- From the navigation panel in the SD-WAN Orchestrator, go to Configure > Network Services.
The Services screen appears.
- In the Non SD-WAN Destinations via Edge area, click the New button.
The New Non SD-WAN Destinations via Edge dialog box appears.
- In the Service Name text box, enter the name for the Non SD-WAN Destination.
- From the Service Type drop-down menu, select Microsoft Azure Virtual Hub.
- From the Subscription drop-down menu, select a cloud subscription.
The application fetches all the available Virtual WANs dynamically from Azure.
- From the Virtual WAN drop-down menu, select a virtual WAN.
The application auto-populates the resource group to which the virtual WAN is associated.
- From the Virtual Hub drop-down menu, select a Virtual Hub.
The application auto-populates the Azure region corresponding to the Hub
- Click Next.
The Microsoft Azure Non SD-WAN Destination is created and a dialog box for your Non SD-WAN Destination appears.
- To configure tunnel settings for the Non SD-WAN Destination’s Primary VPN Gateway, click the Advanced button.
- In the Primary VPN Gateway area, you can configure the following tunnel settings:
Field Description Encryption Select either AES 128 or AES 256 as the AES algorithms key size to encrypt data. If you do not want to encrypt data, select NONE. The default value is AES 128. DH Group The Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Group is 2. PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, and 16. The default value is Disabled. Hash The authentication algorithm for the VPN header. Select one of the following supported Secure Hash Algorithm (SHA) function from the list:
- SHA 1
- SHA 256
The default value is SHA 256.
IKE SA Lifetime(min) Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The minimum IKE lifetime is 10 minutes and maximum IKE lifetime is 1440 minutes. The default value is 1440 minutes. IPsec SA Lifetime(min) Time when Internet Security Protocol (IPsec) rekeying is initiated for Edges. The minimum IPsec lifetime is 3 minutes and maximum IPsec lifetime is 480 minutes. The default value is 480 minutes. DPD Timeout Timer(sec) The maximum time that the device should wait to receive a response to the DPD message before considering the peer to be dead. The default value is 20 seconds. You can disable DPD by configuring the DPD timeout timer to 0 second.Note:
Non SD-WAN Destination via Edge of type Microsoft Azure Virtual WAN automation supports only IKEv2 protocol with Azure Default IPsec policies (except GCM mode), when SD-WAN Edge act as an Initiator and Azure act as a Responder during an IPsec tunnel setup.
- Click Save Changes.
What to do next
- Enable Cloud VPN at the Profile Level
- Associate the Microsoft Azure Non SD-WAN Destination to an Edge and configure tunnels to establish a tunnel between a branch and Azure Virtual Hub. For more information, see Associate a Microsoft Azure Non SD-WAN Destination to a SD-WAN Edge and Add Tunnels.
For information about Azure Virtual WAN Edge Automation, see Configure SD-WAN Orchestrator for Azure Virtual WAN IPsec Automation from SD-WAN Edge.