PfsGroup property disparity between New-AzIpsecPolicy and Update-AzVpnConnection #27795

mcdonamw · 2025-05-19T22:25:21Z

mcdonamw
May 19, 2025

I'm in a spot where I need to manually create an ipsec policy for a VPN in our virtual wan due to the portal having a required field where I must set "None", but that's not an option.

With that said I'm using New-AzIpsecPolicy to create the following policy, but it bombs citing PFS14 is not a valid value for property PfsGroup and that valid values are None,PFS1,PFS2,PFS2048,PFS24,ECP256,ECP384.

C:\> $newIpsec = New-AzIpsecPolicy `
>>   -IpsecEncryption   None `
>>   -IpsecIntegrity    SHA256 `
>>   -IkeEncryption     AES256 `
>>   -IkeIntegrity      SHA256 `
>>   -PfsGroup          PFS14 `
>>   -DhGroup           DHGroup14 `
>>   -SADataSizeKilobytes 2147483647 `
>>   -SALifeTimeSeconds 14400
>>
New-AzIpsecPolicy:
Line |
   6 |    -PfsGroup          PFS14 `
     |                       ~~~~~
     | Cannot validate argument on parameter 'PfsGroup'. The argument "PFS14" does not belong to the set "None,PFS1,PFS2,PFS2048,PFS24,ECP256,ECP384" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.

Research suggested using PFS2048 as an inline replacement, and I did. However, when I assign this policy to a vpn connection and run Update-AzVpnConnection, that then bombs citing PFS2048 is not a valid value for PfsGroup and accepted values are None,PFS14,PFS24,ECP256,ECP384

C:\Users\158088> Update-AzVpnConnection -ResourceGroupName $vwanRgName -ParentResourceName $vpnGwName -Name $vpnConnName -VpnSiteLinkConnection $siteLinkConn

Update-AzVpnConnection: Invalid PfsGroup specified for Resource <redacted>. The allowed PfsGroup values are None,PFS14,PFS24,ECP256,ECP384.

To get around this I created my own custom policy object of typename Microsoft.Azure.Commands.Network.Models.PSIpsecPolicy passing a hash table of the properties and values I need to it and that seems to have worked.

I'm just wondering, why would one support PFS2048 but the other PFS14? Shouldn't these two (and likely more) vpn related cmdlets support the same values? Is this worthy of an issue being filed?

mcdonamw · 2025-06-30T14:25:33Z

mcdonamw
Jun 30, 2025
Author

Edit: I see someone took the liberty of opening an issue on this (#27816). Thanks @isra-fel.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

PfsGroup property disparity between New-AzIpsecPolicy and Update-AzVpnConnection #27795

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

PfsGroup property disparity between New-AzIpsecPolicy and Update-AzVpnConnection #27795

Uh oh!

Uh oh!

mcdonamw May 19, 2025

Replies: 1 comment

Uh oh!

Uh oh!

mcdonamw Jun 30, 2025 Author

mcdonamw
May 19, 2025

mcdonamw
Jun 30, 2025
Author