The list of star signs that can make a good match isn't short for Virgo. Because they're caring, they tend to be good partners for everyone. But there are a few signs they're most compatible with, which are Scorpio, Capricorn, Taurus, and Cancer. Virgo and Scorpio. Scorpio is the Virgo most compatible sign. The unlocked A1662 iPhone SE is considered the “world phone” and while it’s fully compatible with Verizon, AT&T, T-Mobile and MVNOs here in the states, it’s not 100% compatible with Sprint. For Sprint customers looking for full compatibility, you’ll definitely want to stick to the A1723.

  1. Compatibility List Blog App
  2. Compatibility List Blog Apps
  3. Compatibility View List
-->

A VPN device is required to configure a Site-to-Site (S2S) cross-premises VPN connection using a VPN gateway. Site-to-Site connections can be used to create a hybrid solution, or whenever you want secure connections between your on-premises networks and your virtual networks. This article provides a list of validated VPN devices and a list of IPsec/IKE parameters for VPN gateways.

Important

If you are experiencing connectivity issues between your on-premises VPN devices and VPN gateways, refer to Known device compatibility issues.

Items to note when viewing the tables:

  • There has been a terminology change for Azure VPN gateways. Only the names have changed. There is no functionality change.
    • Static Routing = PolicyBased
    • Dynamic Routing = RouteBased
  • Specifications for HighPerformance VPN gateway and RouteBased VPN gateway are the same, unless otherwise noted. For example, the validated VPN devices that are compatible with RouteBased VPN gateways are also compatible with the HighPerformance VPN gateway.

Validated VPN devices and device configuration guides

In partnership with device vendors, we have validated a set of standard VPN devices. All of the devices in the device families in the following list should work with VPN gateways. See About VPN Gateway Settings to understand the VPN type use (PolicyBased or RouteBased) for the VPN Gateway solution you want to configure.

To help configure your VPN device, refer to the links that correspond to the appropriate device family. The links to configuration instructions are provided on a best-effort basis. For VPN device support, contact your device manufacturer.

VendorDevice familyMinimum OS versionPolicyBased configuration instructionsRouteBased configuration instructions
A10 Networks, Inc.Thunder CFWACOS 4.1.1Not compatibleConfiguration guide
Allied TelesisAR Series VPN RoutersAR-Series 5.4.7+Configuration guideConfiguration guide
AristaCloudEOS RoutervEOS 4.24.0FX(not tested)Configuration guide
Barracuda Networks, Inc.Barracuda CloudGen FirewallPolicyBased: 5.4.3
RouteBased: 6.2.0
Configuration guideConfiguration guide
Check PointSecurity GatewayR80.10Configuration guideConfiguration guide
CiscoASA8.3
8.4+ (IKEv2*)
SupportedConfiguration guide*
CiscoASRPolicyBased: IOS 15.1
RouteBased: IOS 15.2
SupportedSupported
CiscoCSRRouteBased: IOS-XE 16.10(not tested)Configuration script
CiscoISRPolicyBased: IOS 15.0
RouteBased*: IOS 15.1
SupportedSupported
CiscoMeraki (MX)MX v15.12Not compatibleConfiguration guide
CiscovEdge (Viptela OS)18.4.0 (Active/Passive Mode)
19.2 (Active/Active Mode)
Not compatibleManual configuration (Active/Passive)
Cloud Onramp configuration (Active/Active)
CitrixNetScaler MPX, SDX, VPX10.1 and aboveConfiguration guideNot compatible
F5BIG-IP series12.0Configuration guideConfiguration guide
FortinetFortiGateFortiOS 5.6(not tested)Configuration guide
Hillstone NetworksNext-Gen Firewalls (NGFW)5.5R7(not tested)Configuration guide
Internet Initiative Japan (IIJ)SEIL SeriesSEIL/X 4.60
SEIL/B1 4.60
SEIL/x86 3.20
Configuration guideNot compatible
JuniperSRXPolicyBased: JunOS 10.2
Routebased: JunOS 11.4
SupportedConfiguration script
JuniperJ-SeriesPolicyBased: JunOS 10.4r9
RouteBased: JunOS 11.4
SupportedConfiguration script
JuniperISGScreenOS 6.3SupportedConfiguration script
JuniperSSGScreenOS 6.2SupportedConfiguration script
JuniperMXJunOS 12.xSupportedConfiguration script
MicrosoftRouting and Remote Access ServiceWindows Server 2012Not compatibleSupported
Open Systems AGMission Control Security GatewayN/AConfiguration guideNot compatible
Palo Alto NetworksAll devices running PAN-OSPAN-OS
PolicyBased: 6.1.5 or later
RouteBased: 7.1.4
SupportedConfiguration guide
Sentrium (Developer)VyOSVyOS 1.2.2(not tested)Configuration guide
ShareTechNext Generation UTM (NU series)9.0.1.3Not compatibleConfiguration guide
SonicWallTZ Series, NSA Series
SuperMassive Series
E-Class NSA Series
SonicOS 5.8.x
SonicOS 5.9.x
SonicOS 6.x
Not compatibleConfiguration guide
SophosXG Next Gen FirewallXG v17(not tested)Configuration guide
Configuration guide - Multiple SAs
SynologyMR2200ac
RT2600ac
RT1900ac
SRM1.1.5/VpnPlusServer-1.2.0(not tested)Configuration guide
UbiquitiEdgeRouterEdgeOS v1.10(not tested)BGP over IKEv2/IPsec
VTI over IKEv2/IPsec
Ultra3E-636L35.2.0.T3 Build-13(not tested)Configuration guide
WatchGuardAllFireware XTM
PolicyBased: v11.11.x
RouteBased: v11.12.x
Configuration guideConfiguration guide
ZyxelZyWALL USG series
ZyWALL ATP series
ZyWALL VPN series
ZLD v4.32+(not tested)VTI over IKEv2/IPsec
BGP over IKEv2/IPsec

Note

(*) Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with 'UsePolicyBasedTrafficSelectors' option. Refer to this how-to article.

(**) ISR 7200 Series routers only support PolicyBased VPNs.

Download VPN device configuration scripts from Azure

For certain devices, you can download configuration scripts directly from Azure. Paper modelsempty spaces the blog ideas. For more information and download instructions, see Download VPN device configuration scripts.

Devices with available configuration scripts

VendorDevice familyFirmware version
CiscoISRIOS 15.1 (Preview)
CiscoASAASA ( * ) RouteBased (IKEv2- No BGP) for ASA below 9.8
CiscoASAASA RouteBased (IKEv2 - No BGP) for ASA 9.8+
JuniperSRX_GA12.x
JuniperSSG_GAScreenOS 6.2.x
JuniperJSeries_GAJunOS 12.x
JuniperSRXJunOS 12.x RouteBased BGP
UbiquitiEdgeRouterEdgeOS v1.10x RouteBased VTI
UbiquitiEdgeRouterEdgeOS v1.10x RouteBased BGP

Note

( * ) Required: NarrowAzureTrafficSelectors (enable UsePolicyBasedTrafficSelectors option) and CustomAzurePolicies (IKE/IPsec)

Non-validated VPN devices

If you don’t see your device listed in the Validated VPN devices table, your device still may work with a Site-to-Site connection. Contact your device manufacturer for additional support and configuration instructions.

Editing device configuration samples

After you download the provided VPN device configuration sample, you’ll need to replace some of the values to reflect the settings for your environment.

To edit a sample:

  1. Open the sample using Notepad.
  2. Search and replace all <text> strings with the values that pertain to your environment. Be sure to include < and >. When a name is specified, the name you select should be unique. If a command does not work, consult your device manufacturer documentation.
Sample textChange to
<RP_OnPremisesNetwork>Your chosen name for this object. Example: myOnPremisesNetwork
<RP_AzureNetwork>Your chosen name for this object. Example: myAzureNetwork
<RP_AccessList>Your chosen name for this object. Example: myAzureAccessList
<RP_IPSecTransformSet>Your chosen name for this object. Example: myIPSecTransformSet
<RP_IPSecCryptoMap>Your chosen name for this object. Example: myIPSecCryptoMap
<SP_AzureNetworkIpRange>Specify range. Example: 192.168.0.0
<SP_AzureNetworkSubnetMask>Specify subnet mask. Example: 255.255.0.0
<SP_OnPremisesNetworkIpRange>Specify on-premises range. Example: 10.2.1.0
<SP_OnPremisesNetworkSubnetMask>Specify on-premises subnet mask. Example: 255.255.255.0
<SP_AzureGatewayIpAddress>This information specific to your virtual network and is located in the Management Portal as Gateway IP address.
<SP_PresharedKey>This information is specific to your virtual network and is located in the Management Portal as Manage Key.

Default IPsec/IKE parameters

The tables below contain the combinations of algorithms and parameters Azure VPN gateways use in default configuration (Default policies). For route-based VPN gateways created using the Azure Resource Management deployment model, you can specify a custom policy on each individual connection. Please refer to Configure IPsec/IKE policy for detailed instructions.

Additionally, you must clamp TCP MSS at 1350. Or if your VPN devices do not support MSS clamping, you can alternatively set the MTU on the tunnel interface to 1400 bytes instead.

In the following tables:

  • SA = Security Association
  • IKE Phase 1 is also called 'Main Mode'
  • IKE Phase 2 is also called 'Quick Mode'

IKE Phase 1 (Main Mode) parameters

PropertyPolicyBasedRouteBased
IKE VersionIKEv1IKEv1 and IKEv2
Diffie-Hellman GroupGroup 2 (1024 bit)Group 2 (1024 bit)
Authentication MethodPre-Shared KeyPre-Shared Key
Encryption & Hashing Algorithms1. AES256, SHA256
2. AES256, SHA1
3. AES128, SHA1
4. 3DES, SHA1
1. AES256, SHA1
2. AES256, SHA256
3. AES128, SHA1
4. AES128, SHA256
5. 3DES, SHA1
6. 3DES, SHA256
SA Lifetime28,800 seconds28,800 seconds

IKE Phase 2 (Quick Mode) parameters

PropertyPolicyBasedRouteBased
IKE VersionIKEv1IKEv1 and IKEv2
Encryption & Hashing Algorithms1. AES256, SHA256
2. AES256, SHA1
3. AES128, SHA1
4. 3DES, SHA1
RouteBased QM SA Offers
SA Lifetime (Time)3,600 seconds27,000 seconds
SA Lifetime (Bytes)102,400,000 KB102,400,000 KB
Perfect Forward Secrecy (PFS)NoRouteBased QM SA Offers
Dead Peer Detection (DPD)Not supportedSupported

RouteBased VPN IPsec Security Association (IKE Quick Mode SA) Offers

The following table lists IPsec SA (IKE Quick Mode) Offers. Offers are listed the order of preference that the offer is presented or accepted.

Azure Gateway as initiator

-EncryptionAuthenticationPFS Group
1GCM AES256GCM (AES256)None
2AES256SHA1None
33DESSHA1None
4AES256SHA256None
5AES128SHA1None
63DESSHA256None

Azure Gateway as responder

-EncryptionAuthenticationPFS Group
1GCM AES256GCM (AES256)None
2AES256SHA1None
33DESSHA1None
4AES256SHA256None
5AES128SHA1None
63DESSHA256None
7DESSHA1None
8AES256SHA11
9AES256SHA12
10AES256SHA114
11AES128SHA11
12AES128SHA12
13AES128SHA114
143DESSHA11
153DESSHA12
163DESSHA2562
17AES256SHA2561
18AES256SHA2562
19AES256SHA25614
20AES256SHA124
21AES256SHA25624
22AES128SHA256None
23AES128SHA2561
24AES128SHA2562
25AES128SHA25614
263DESSHA114
  • You can specify IPsec ESP NULL encryption with RouteBased and HighPerformance VPN gateways. Null based encryption does not provide protection to data in transit, and should only be used when maximum throughput and minimum latency is required. Clients may choose to use this in VNet-to-VNet communication scenarios, or when encryption is being applied elsewhere in the solution.
  • For cross-premises connectivity through the Internet, use the default Azure VPN gateway settings with encryption and hashing algorithms listed in the tables above to ensure security of your critical communication.

Known device compatibility issues

Important

These are the known compatibility issues between third-party VPN devices and Azure VPN gateways. The Azure team is actively working with the vendors to address the issues listed here. Once the issues are resolved, this page will be updated with the most up-to-date information. Please check back periodically.

Feb. 16, 2017

Palo Alto Networks devices with version prior to 7.1.4 for Azure route-based VPN: If you are using VPN devices from Palo Alto Networks with PAN-OS version prior to 7.1.4 and are experiencing connectivity issues to Azure route-based VPN gateways, perform the following steps:

  1. Check the firmware version of your Palo Alto Networks device. If your PAN-OS version is older than 7.1.4, upgrade to 7.1.4.
  2. On the Palo Alto Networks device, change the Phase 2 SA (or Quick Mode SA) lifetime to 28,800 seconds (8 hours) when connecting to the Azure VPN gateway.
  3. If you are still experiencing connectivity issues, open a support request from the Azure portal.

One of the features SAP delivered with S/4HANA to ease conversion from SAP ECC are the so called Compatibility Pack Scope items. Put simply these are bits of functionality that exist in SAP ECC but do not form part of the long term scope for S/4HANA.

To see the full scope of S/4HANA 1809 and the associated Compatibility Pack Scope look into the S/4HANA Functional Scope Description document.

Compatibility List Blog App

Note : This is a great document to show anyone that doesn’t understand the functional richness of SAP S/4HANA – At nearly 572 pages (with 94 covering Compatibility Pack Scope) it makes a great bedtime read.

You can use Compatibility Pack Scope items in S/4HANA after a conversion BUT importantly you will not be able to use them after 2025 as they will not have a license, will not be supported, will not be tested to see if they work between versions/support packs and SAP could choose to remove them at any time.

The reasons for a feature becoming part of the Compatibility Scope are various but in my opinion can be grouped into 3 main areas :-

  • Duplicates : Features that were duplicated by other features in the system – SAP want S/4HANA to have just one place for each feature – this is known as the “Principle of One”.
  • Superseded : Features that have been superseded by more advanced functionality which must be migrated to by 2025. The most known example here is Warehouse Management (LE-WM) module which is replaced with Extended Warehouse Management. Others include Special Ledgers, Transportation (LE-TRA), most of HR, many industry solutions and Logistic Information Systems – see the Compatibility Scope Matrix in the SAP Note below for a full list.
  • Not Used : Features that very few customers ever used and have been removed to simplify the solutions.

Compatibility List Blog Apps

If you are considering a Brownfield conversion the Compatibility Pack Scope is really important as you will need to factor the time and effort required to move from the items you use in the Compatibility Pack Scope to the new recommended solution. This can be done any time before 2025, so you have plenty of time but the associated effort and costs should be built into your business case to convert to S/4HANA. In some case you many find that the effort required tips you closer to going Greenfield with a fresh implementation and the benefits of a fresh start. See my Greenfield / Brownfield questionnaire to see other things to consider.

Compatibility View List

Compatibility List Blog

If you do consider going Greenfield and you do this with the On Premise version then you still need to be aware of the Compatibility Pack Scope because you need to make sure that your implementation partner doesn’t turn on “stuff “you will then have to turn off – I haven’t seen this personally but I can imagine it happening if the people implementing are experienced SAP ECC consultants and not close to the S/4HANA capabilities.

One way to avoid this risk is to go with S/4HANA Cloud because in this SaaS environment you (or the people implementing the solution) will not be able to access the Compatibility Pack Scope as it is not exposed as part of the Best Practice configuration.

As with all things SAP – a SAP note exists for that !

This references a nice overview presentation, an FAQ document and also a detailed matrix that shows the Compatibility Pack Scope and the associated replacement scope and SAP Note.

If you have any further questions on specific Compatibility Pack Scope and the impact it might have on your S/4HANA plans please post them below and I can raise them with SAP next time the SAP Mentors meet with development in Walldorf.

Coments are closed
Scroll to top