Skip to content

PfsGroup property disparity between New-AzIpsecPolicy and Update-AzVpnConnection #27816

New issue
New issue
Open
Open
PfsGroup property disparity between New-AzIpsecPolicy and Update-AzVpnConnection#27816
Labels
NetworkService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.
@isra-fel

Description

@isra-fel
isra-fel
opened on May 22, 2025
Member

Discussed in #27795

Originally posted by mcdonamw May 20, 2025
I'm in a spot where I need to manually create an ipsec policy for a VPN in our virtual wan due to the portal having a required field where I must set "None", but that's not an option.

With that said I'm using New-AzIpsecPolicy to create the following policy, but it bombs citing PFS14 is not a valid value for property PfsGroup and that valid values are None,PFS1,PFS2,PFS2048,PFS24,ECP256,ECP384.

C:\> $newIpsec = New-AzIpsecPolicy `
>>   -IpsecEncryption   None `
>>   -IpsecIntegrity    SHA256 `
>>   -IkeEncryption     AES256 `
>>   -IkeIntegrity      SHA256 `
>>   -PfsGroup          PFS14 `
>>   -DhGroup           DHGroup14 `
>>   -SADataSizeKilobytes 2147483647 `
>>   -SALifeTimeSeconds 14400
>>
New-AzIpsecPolicy:
Line |
   6 |    -PfsGroup          PFS14 `
     |                       ~~~~~
     | Cannot validate argument on parameter 'PfsGroup'. The argument "PFS14" does not belong to the set "None,PFS1,PFS2,PFS2048,PFS24,ECP256,ECP384" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.

Research suggested using PFS2048 as an inline replacement, and I did. However, when I assign this policy to a vpn connection and run Update-AzVpnConnection, that then bombs citing PFS2048 is not a valid value for PfsGroup and accepted values are None,PFS14,PFS24,ECP256,ECP384

C:\Users\158088> Update-AzVpnConnection -ResourceGroupName $vwanRgName -ParentResourceName $vpnGwName -Name $vpnConnName -VpnSiteLinkConnection $siteLinkConn

Update-AzVpnConnection: Invalid PfsGroup specified for Resource <redacted>. The allowed PfsGroup values are None,PFS14,PFS24,ECP256,ECP384.

To get around this I created my own custom policy object of typename Microsoft.Azure.Commands.Network.Models.PSIpsecPolicy passing a hash table of the properties and values I need to it and that seems to have worked.

I'm just wondering, why would one support PFS2048 but the other PFS14? Shouldn't these two (and likely more) vpn related cmdlets support the same values? Is this worthy of an issue being filed?

Activity

isra-fel
added
Network
Service AttentionThis issue is responsible by Azure service team.
bugThis issue requires a change to an existing behavior in the product in order to be resolved.
on May 22, 2025
microsoft-github-policy-service

microsoft-github-policy-service commented on May 22, 2025

@microsoft-github-policy-service
microsoft-github-policy-servicebot
on May 22, 2025
Contributor

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

microsoft-github-policy-service

microsoft-github-policy-service commented on May 22, 2025

@microsoft-github-policy-service
microsoft-github-policy-servicebot
on May 22, 2025
Contributor

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    NetworkService AttentionThis issue is responsible by Azure service team.bugThis issue requires a change to an existing behavior in the product in order to be resolved.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @isra-fel

        Issue actions
          PfsGroup property disparity between New-AzIpsecPolicy and Update-AzVpnConnection · Issue #27816 · Azure/azure-powershell