Compatibility List Blog

  • This is a very long compatibility list of the Redump collection (CUE/BIN) for Fenrir ODE. The games have been tested for booting and about 1-2 minutes of playtime, i.e. Not to completion. More information will be added in the future. All following games were tested on a Grey Sega Saturn VA0.5 (NTSC-J) with a Sandisk Extreme 128GB microSD card.
  • If your phone is compatible with Tracfone, all that’s left to do is buy an Activation Kit and find the right service plan that suits your needs. For as low as $15, you’ll receive 500MB of data, 200 minutes of airtime, and 500 text messages for 30 days of service.

And alternatively, check out our list of Wacom Tablets/Cintiqs. This list shows most, if not all, of Wacom's products and each Pen they are compatible with. NOTE: Pens with an 'E' denote that it has an Eraser. Whether it ends in 'K' or '0K' is irrelevant to compatibility matching. (Updated as of January 2020) Wacom One Pen - CP91300B2Z. Compatible - Windows 7 Logo- Of course, this classification is the Holy Grail and means this product met Microsoft's testing requirements for compatibility with 32-bit and 64-bit Windows 7.

-->

A VPN device is required to configure a Site-to-Site (S2S) cross-premises VPN connection using a VPN gateway. Site-to-Site connections can be used to create a hybrid solution, or whenever you want secure connections between your on-premises networks and your virtual networks. This article provides a list of validated VPN devices and a list of IPsec/IKE parameters for VPN gateways.

Important

If you are experiencing connectivity issues between your on-premises VPN devices and VPN gateways, refer to Known device compatibility issues.

Items to note when viewing the tables:

Compatibility
  • There has been a terminology change for Azure VPN gateways. Only the names have changed. There is no functionality change.
    • Static Routing = PolicyBased
    • Dynamic Routing = RouteBased
  • Specifications for HighPerformance VPN gateway and RouteBased VPN gateway are the same, unless otherwise noted. For example, the validated VPN devices that are compatible with RouteBased VPN gateways are also compatible with the HighPerformance VPN gateway.

Validated VPN devices and device configuration guides

In partnership with device vendors, we have validated a set of standard VPN devices. All of the devices in the device families in the following list should work with VPN gateways. See About VPN Gateway Settings to understand the VPN type use (PolicyBased or RouteBased) for the VPN Gateway solution you want to configure.

To help configure your VPN device, refer to the links that correspond to the appropriate device family. The links to configuration instructions are provided on a best-effort basis. For VPN device support, contact your device manufacturer.

VendorDevice familyMinimum OS versionPolicyBased configuration instructionsRouteBased configuration instructions
A10 Networks, Inc.Thunder CFWACOS 4.1.1Not compatibleConfiguration guide
Allied TelesisAR Series VPN RoutersAR-Series 5.4.7+Configuration guideConfiguration guide
AristaCloudEOS RoutervEOS 4.24.0FX(not tested)Configuration guide
Barracuda Networks, Inc.Barracuda CloudGen FirewallPolicyBased: 5.4.3
RouteBased: 6.2.0
Configuration guideConfiguration guide
Check PointSecurity GatewayR80.10Configuration guideConfiguration guide
CiscoASA8.3
8.4+ (IKEv2*)
SupportedConfiguration guide*
CiscoASRPolicyBased: IOS 15.1
RouteBased: IOS 15.2
SupportedSupported
CiscoCSRRouteBased: IOS-XE 16.10(not tested)Configuration script
CiscoISRPolicyBased: IOS 15.0
RouteBased*: IOS 15.1
SupportedSupported
CiscoMeraki (MX)MX v15.12Not compatibleConfiguration guide
CiscovEdge (Viptela OS)18.4.0 (Active/Passive Mode)
19.2 (Active/Active Mode)
Not compatibleManual configuration (Active/Passive)
Cloud Onramp configuration (Active/Active)
CitrixNetScaler MPX, SDX, VPX10.1 and aboveConfiguration guideNot compatible
F5BIG-IP series12.0Configuration guideConfiguration guide
FortinetFortiGateFortiOS 5.6(not tested)Configuration guide
Hillstone NetworksNext-Gen Firewalls (NGFW)5.5R7(not tested)Configuration guide
Internet Initiative Japan (IIJ)SEIL SeriesSEIL/X 4.60
SEIL/B1 4.60
SEIL/x86 3.20
Configuration guideNot compatible
JuniperSRXPolicyBased: JunOS 10.2
Routebased: JunOS 11.4
SupportedConfiguration script
JuniperJ-SeriesPolicyBased: JunOS 10.4r9
RouteBased: JunOS 11.4
SupportedConfiguration script
JuniperISGScreenOS 6.3SupportedConfiguration script
JuniperSSGScreenOS 6.2SupportedConfiguration script
JuniperMXJunOS 12.xSupportedConfiguration script
MicrosoftRouting and Remote Access ServiceWindows Server 2012Not compatibleSupported
Open Systems AGMission Control Security GatewayN/AConfiguration guideNot compatible
Palo Alto NetworksAll devices running PAN-OSPAN-OS
PolicyBased: 6.1.5 or later
RouteBased: 7.1.4
SupportedConfiguration guide
Sentrium (Developer)VyOSVyOS 1.2.2(not tested)Configuration guide
ShareTechNext Generation UTM (NU series)9.0.1.3Not compatibleConfiguration guide
SonicWallTZ Series, NSA Series
SuperMassive Series
E-Class NSA Series
SonicOS 5.8.x
SonicOS 5.9.x
SonicOS 6.x
Not compatibleConfiguration guide
SophosXG Next Gen FirewallXG v17(not tested)Configuration guide
Configuration guide - Multiple SAs
SynologyMR2200ac
RT2600ac
RT1900ac
SRM1.1.5/VpnPlusServer-1.2.0(not tested)Configuration guide
UbiquitiEdgeRouterEdgeOS v1.10(not tested)BGP over IKEv2/IPsec
VTI over IKEv2/IPsec
Ultra3E-636L35.2.0.T3 Build-13(not tested)Configuration guide
WatchGuardAllFireware XTM
PolicyBased: v11.11.x
RouteBased: v11.12.x
Configuration guideConfiguration guide
ZyxelZyWALL USG series
ZyWALL ATP series
ZyWALL VPN series
ZLD v4.32+(not tested)VTI over IKEv2/IPsec
BGP over IKEv2/IPsec

Note

Compatibility List Blog

(*) Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with 'UsePolicyBasedTrafficSelectors' option. Refer to this how-to article.

(**) ISR 7200 Series routers only support PolicyBased VPNs.

Download VPN device configuration scripts from Azure

For certain devices, you can download configuration scripts directly from Azure. For more information and download instructions, see Download VPN device configuration scripts.

Compatibility List Blog Websites

Devices with available configuration scripts

VendorDevice familyFirmware version
CiscoISRIOS 15.1 (Preview)
CiscoASAASA ( * ) RouteBased (IKEv2- No BGP) for ASA below 9.8
CiscoASAASA RouteBased (IKEv2 - No BGP) for ASA 9.8+
JuniperSRX_GA12.x
JuniperSSG_GAScreenOS 6.2.x
JuniperJSeries_GAJunOS 12.x
JuniperSRXJunOS 12.x RouteBased BGP
UbiquitiEdgeRouterEdgeOS v1.10x RouteBased VTI
UbiquitiEdgeRouterEdgeOS v1.10x RouteBased BGP

Note

( * ) Required: NarrowAzureTrafficSelectors (enable UsePolicyBasedTrafficSelectors option) and CustomAzurePolicies (IKE/IPsec)

Non-validated VPN devices

If you don’t see your device listed in the Validated VPN devices table, your device still may work with a Site-to-Site connection. Contact your device manufacturer for additional support and configuration instructions.

Compatibility View List

Editing device configuration samples

Compatibility List Blog Apps

After you download the provided VPN device configuration sample, you’ll need to replace some of the values to reflect the settings for your environment.

To edit a sample:

  1. Open the sample using Notepad.
  2. Search and replace all <text> strings with the values that pertain to your environment. Be sure to include < and >. When a name is specified, the name you select should be unique. If a command does not work, consult your device manufacturer documentation.
Sample textChange to
<RP_OnPremisesNetwork>Your chosen name for this object. Example: myOnPremisesNetwork
<RP_AzureNetwork>Your chosen name for this object. Example: myAzureNetwork
<RP_AccessList>Your chosen name for this object. Example: myAzureAccessList
<RP_IPSecTransformSet>Your chosen name for this object. Example: myIPSecTransformSet
<RP_IPSecCryptoMap>Your chosen name for this object. Example: myIPSecCryptoMap
<SP_AzureNetworkIpRange>Specify range. Example: 192.168.0.0
<SP_AzureNetworkSubnetMask>Specify subnet mask. Example: 255.255.0.0
<SP_OnPremisesNetworkIpRange>Specify on-premises range. Example: 10.2.1.0
<SP_OnPremisesNetworkSubnetMask>Specify on-premises subnet mask. Example: 255.255.255.0
<SP_AzureGatewayIpAddress>This information specific to your virtual network and is located in the Management Portal as Gateway IP address.
<SP_PresharedKey>This information is specific to your virtual network and is located in the Management Portal as Manage Key.

Default IPsec/IKE parameters

The tables below contain the combinations of algorithms and parameters Azure VPN gateways use in default configuration (Default policies). For route-based VPN gateways created using the Azure Resource Management deployment model, you can specify a custom policy on each individual connection. Please refer to Configure IPsec/IKE policy for detailed instructions.

Additionally, you must clamp TCP MSS at 1350. Or if your VPN devices do not support MSS clamping, you can alternatively set the MTU on the tunnel interface to 1400 bytes instead.

In the following tables:

  • SA = Security Association
  • IKE Phase 1 is also called 'Main Mode'
  • IKE Phase 2 is also called 'Quick Mode'

IKE Phase 1 (Main Mode) parameters

PropertyPolicyBasedRouteBased
IKE VersionIKEv1IKEv1 and IKEv2
Diffie-Hellman GroupGroup 2 (1024 bit)Group 2 (1024 bit)
Authentication MethodPre-Shared KeyPre-Shared Key
Encryption & Hashing Algorithms1. AES256, SHA256
2. AES256, SHA1
3. AES128, SHA1
4. 3DES, SHA1
1. AES256, SHA1
2. AES256, SHA256
3. AES128, SHA1
4. AES128, SHA256
5. 3DES, SHA1
6. 3DES, SHA256
SA Lifetime28,800 seconds28,800 seconds

IKE Phase 2 (Quick Mode) parameters

PropertyPolicyBasedRouteBased
IKE VersionIKEv1IKEv1 and IKEv2
Encryption & Hashing Algorithms1. AES256, SHA256
2. AES256, SHA1
3. AES128, SHA1
4. 3DES, SHA1
RouteBased QM SA Offers
SA Lifetime (Time)3,600 seconds27,000 seconds
SA Lifetime (Bytes)102,400,000 KB102,400,000 KB
Perfect Forward Secrecy (PFS)NoRouteBased QM SA Offers
Dead Peer Detection (DPD)Not supportedSupported

RouteBased VPN IPsec Security Association (IKE Quick Mode SA) Offers

The following table lists IPsec SA (IKE Quick Mode) Offers. Offers are listed the order of preference that the offer is presented or accepted.

Compatibility

Azure Gateway as initiator

-EncryptionAuthenticationPFS Group
1GCM AES256GCM (AES256)None
2AES256SHA1None
33DESSHA1None
4AES256SHA256None
5AES128SHA1None
63DESSHA256None

Azure Gateway as responder

Compatibility List Blog App

-EncryptionAuthenticationPFS Group
1GCM AES256GCM (AES256)None
2AES256SHA1None
33DESSHA1None
4AES256SHA256None
5AES128SHA1None
63DESSHA256None
7DESSHA1None
8AES256SHA11
9AES256SHA12
10AES256SHA114
11AES128SHA11
12AES128SHA12
13AES128SHA114
143DESSHA11
153DESSHA12
163DESSHA2562
17AES256SHA2561
18AES256SHA2562
19AES256SHA25614
20AES256SHA124
21AES256SHA25624
22AES128SHA256None
23AES128SHA2561
24AES128SHA2562
25AES128SHA25614
263DESSHA114
  • You can specify IPsec ESP NULL encryption with RouteBased and HighPerformance VPN gateways. Null based encryption does not provide protection to data in transit, and should only be used when maximum throughput and minimum latency is required. Clients may choose to use this in VNet-to-VNet communication scenarios, or when encryption is being applied elsewhere in the solution.
  • For cross-premises connectivity through the Internet, use the default Azure VPN gateway settings with encryption and hashing algorithms listed in the tables above to ensure security of your critical communication.

Known device compatibility issues

Important

Xbox Compatibility List

These are the known compatibility issues between third-party VPN devices and Azure VPN gateways. The Azure team is actively working with the vendors to address the issues listed here. Once the issues are resolved, this page will be updated with the most up-to-date information. Please check back periodically.

Blog

Feb. 16, 2017

Palo Alto Networks devices with version prior to 7.1.4 for Azure route-based VPN: If you are using VPN devices from Palo Alto Networks with PAN-OS version prior to 7.1.4 and are experiencing connectivity issues to Azure route-based VPN gateways, perform the following steps:

  1. Check the firmware version of your Palo Alto Networks device. If your PAN-OS version is older than 7.1.4, upgrade to 7.1.4.
  2. On the Palo Alto Networks device, change the Phase 2 SA (or Quick Mode SA) lifetime to 28,800 seconds (8 hours) when connecting to the Azure VPN gateway.
  3. If you are still experiencing connectivity issues, open a support request from the Azure portal.