Skip to content

PfsGroup property disparity between New-AzIpsecPolicy and Update-AzVpnConnection #27816

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
isra-fel opened this issue May 22, 2025 · 2 comments
Open

PfsGroup property disparity between New-AzIpsecPolicy and Update-AzVpnConnection #27816

isra-fel opened this issue May 22, 2025 · 2 comments
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. Network Service Attention This issue is responsible by Azure service team.

Comments

@isra-fel
Copy link
Member

Discussed in #27795

Originally posted by mcdonamw May 20, 2025
I'm in a spot where I need to manually create an ipsec policy for a VPN in our virtual wan due to the portal having a required field where I must set "None", but that's not an option.

With that said I'm using New-AzIpsecPolicy to create the following policy, but it bombs citing PFS14 is not a valid value for property PfsGroup and that valid values are None,PFS1,PFS2,PFS2048,PFS24,ECP256,ECP384.

C:\> $newIpsec = New-AzIpsecPolicy `
>>   -IpsecEncryption   None `
>>   -IpsecIntegrity    SHA256 `
>>   -IkeEncryption     AES256 `
>>   -IkeIntegrity      SHA256 `
>>   -PfsGroup          PFS14 `
>>   -DhGroup           DHGroup14 `
>>   -SADataSizeKilobytes 2147483647 `
>>   -SALifeTimeSeconds 14400
>>
New-AzIpsecPolicy:
Line |
   6 |    -PfsGroup          PFS14 `
     |                       ~~~~~
     | Cannot validate argument on parameter 'PfsGroup'. The argument "PFS14" does not belong to the set "None,PFS1,PFS2,PFS2048,PFS24,ECP256,ECP384" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.

Research suggested using PFS2048 as an inline replacement, and I did. However, when I assign this policy to a vpn connection and run Update-AzVpnConnection, that then bombs citing PFS2048 is not a valid value for PfsGroup and accepted values are None,PFS14,PFS24,ECP256,ECP384

C:\Users\158088> Update-AzVpnConnection -ResourceGroupName $vwanRgName -ParentResourceName $vpnGwName -Name $vpnConnName -VpnSiteLinkConnection $siteLinkConn

Update-AzVpnConnection: Invalid PfsGroup specified for Resource <redacted>. The allowed PfsGroup values are None,PFS14,PFS24,ECP256,ECP384.

To get around this I created my own custom policy object of typename Microsoft.Azure.Commands.Network.Models.PSIpsecPolicy passing a hash table of the properties and values I need to it and that seems to have worked.

I'm just wondering, why would one support PFS2048 but the other PFS14? Shouldn't these two (and likely more) vpn related cmdlets support the same values? Is this worthy of an issue being filed?
@isra-fel isra-fel added Network Service Attention This issue is responsible by Azure service team. bug This issue requires a change to an existing behavior in the product in order to be resolved. labels May 22, 2025
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

1 similar comment
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. Network Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@isra-fel