It is very important that you align network resources within your organization to perform the work and also that you gather the required information in order to complete VPN Connect configuration without any problems. Table 3 provides you a list of the information you will require.
Table 3. Required information before you start
|
Question |
Answer |
---|---|---|
1 |
What is your VCN's subnet allocation? |
|
2 |
What is the model of your CPE device? |
|
3 |
What is the software version of your CPE device? |
|
4 |
What is the public IP address of your CPE device? If you have multiple devices for redundancy, get the IP address for each device. |
|
5 |
Is your CPE device behind a NAT device? |
(Y/N) |
5.1 |
If yes what is the private IP address of your CPE device(s)? Please note that in question 4 you need to provide the public IP address. |
|
6 |
Will you be doing port address translation (PAT) between CPE device and your VCN? |
(Y/N) |
7 |
What type of routing do you plan to use? |
Static or BGP |
8 |
If using BGP dynamic routing, what are the BGP session subnets (/31) to use for each tunnel? - The subnets must be part of the encryption domain. |
Tunnel 1 subnet: Tunnel 2 subnet: |
8.1 |
What is the ASN # of your network? |
|
9 |
If using static routing, what are the subnets for your on-premises network? |
|
10 |
Do you want to provide each tunnel's shared secret or let Oracle assign them? |
(Own or Oracle) |
Draw a diagram of your network layout using Figure 6 and 7 as an example. Think about which parts of your on-premises network need to communicate with your VCN, and the reverse. Map out the routing and security lists that you need for your VCN. You can use the attached sample diagram for your reference.
Figure 6. Sample diagram
Figure 7. Sample diagram behind NAT device
The majority of VPN Connect configuration is done from the Oracle Console or via API. We strongly recommend these tasks to be performed by your network team because of the knowledge they have about your network.
IMPORTANT: Keep in mind that whoever is configuring VPN Connect from the Oracle Console, must have the required permission to create and manage the cloud network components. Please check with your Cloud administrator to have the required permissions. For information about access to your cloud network components, see Access Control.
Also consider reading the topics below so you will be familiar with the following concepts and definitions:
If you required more details about IPSec technology, we recommend General IPSec VPN tunnel functionality
When configuring the different components, you can optionally assign a descriptive name to each of them. These names don't have to be unique, although it's a best practice to use unique names across your tenancy. Oracle automatically assigns each component an identification number called Oracle Cloud ID (OCID). For more information, see Resource Identifiers. The OCID is very important when requesting support.
WARNING: Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.
Here is the overall process for setting up VPN Connect.
Steps A through D, are prerequisites for VPN Connect and this guide assumes you already have them in place. If not follow the links provided to configure them.
Steps E and F, will need to be created or modified depending of your current environment. If they do not exist, follow the links provided to configure them.
Steps G and H are the actual configuration of VPN Connect.
Table 4. Configuration overview
Step |
Description |
Component |
---|---|---|
A |
Create your VCN. This is the core component for your cloud deployment. It has to be designed carefully based on your requirements. For more information and how to deploy see VCNs and Subnets. |
|
B |
Create a DRG. This is a required component to deploy VPN Connect. The DRG will allow your VCN to talk to your on-premises network. For more information and how to deploy see Dynamic Routing Gateways. |
|
C |
Attach the DRG to your VCN. This is a very important step as without attaching the DRG to your VCN traffic will not flow to your on-premises network. See Dynamic Routing Gateways under the Using the Console section for instructions how to attach it. |
|
D |
Create subnets in the VCN. In this step you can identify what subnets will need to talk to your on-premises network or define them. If the Subnets are already created, note the route table and security list associated with them as in the next steps you will need to modify them. For more details about Subnets see VCNs and Subnets. |
|
E |
Create/modify a route table and add route rule. This is required to tell the subnets within your VCN how to connect to your on-premises network. You can create a new one or use an existing route table. The route rule you need to add will specify your on-premises subnets as the destination and will point to the DRG as the target type. See Route Tables for more information and how to configure it. |
|
F |
Create/modify a security list and add/update rules. This is required to allow the subnets within your VCN to talk to your on-premises network. The rules are based on the application flows required. You can create a new one or use an existing security list. See Security Lists for more information and how to configure it. |
|
G |
Create VPN Connect – Step by Step instructions are in the next section. 1. Create a CPE object. 2. Create an IPSec connection |
Subcomponents of |
H |
Configure your CPE device: Your network engineer must configure your CPE device with information that Oracle provides during the previous steps. There is general information about the VCN, and specific information for each IPSec tunnel. This is the only part of the setup that you can't execute by using the Oracle Console or API. Without this configuration, traffic will not flow between your VCN and on-premises network. Refer to the section below for more details. |
|
I |
Validate connectivity - Refer to the section below for more details. |
|
In this task, you create the CPE object, which is a virtual representation of your CPE device (5). You will need to create one CPE object per CPE on your on-premises network. You will need to repeat these steps for each CPE you wish to connect with VPN Connect. Follow the steps below to complete this step:
The CPE object is now created and displayed on the page. Next create the IPSec connection.
On the previous step you created a representation of your CPE. On this step you create the connection between the CPE Object and the DRG by creating an IPSec connection. This creates the IPSec tunnels (7 & 8) and specify the type of routing for each tunnel: BGP dynamic routing or static routing. There is section for each type of routing so make sure you follow the correct section. Follow the steps below to complete this step:
In this example, you configure both tunnels to use BGP dynamic routing.
The IPSec connection is created and displayed on the page. It will be in the Provisioning state for a short period.
The displayed tunnel information includes:
The Oracle VPN headend IP address for each tunnel.
The tunnel's IPSec status (possible values are Up, Down, and Down for Maintenance) and BGP status. At this point, the status is Down.
You have now created all the components required for VPN Connect in the Oracle side. Next step is for your network engineer to configure your CPE device to complete the configuration before network traffic can flow between your on-premises network and VCN.
The IPSec connection is created and displayed on the page. It will be in the Provisioning state for a short period.
The displayed tunnel information includes:
The Oracle VPN headend IP address for each tunnel.
The tunnel's IPSec status (possible values are Up, Down, and Down for Maintenance). At this point, the status is Down.
You have now created all the components required for VPN Connect in the Oracle side. Next step is for your network engineer to configure your CPE device to complete the configuration before network traffic can flow between your on-premises network and your VCN.
This section is performed by your network engineer. It explains how to configure your on-premises device (the customer-premises equipment, or CPE) at your end of the VPN Connect connection so traffic can flow between your on-premises network and the virtual cloud network (VCN). Below you will find some things to consider and will point to our public documentation where you can find more specific information about your CPE device model.
You need some basic information like IP address about the outside interfaces of your on-premises device (your CPE). Refer to the information gather on Table 3 question 4. This is the IP address used to configured the IPSec tunnel. Typically, it is a public IP address if the CPE is not sitting behind a NAT device.
If your CPE is behind a NAT device, you can provide Oracle with the private IP address of your CPE which will be used as the CPE's IKE identifier. For more information, see Your CPE Is Behind a NAT Device section above.
Oracle recommends that you disable NAT-Traversal (NAT-T) at your CPE when establishing IPSec tunnels with Oracle Cloud Infrastructure. Unless you have multiple CPEs sharing the same NAT IP, NAT-T is not required.
To complete the configuration for VPN Connect, your network engineer needs to configure your CPE. Please provide him/her with the following information:
Table 5. Required information to configure CPE
Description |
Value |
---|---|
Tunnel Name: A short name to identify this connection. |
For example, OCI-Dev |
The Oracle VPN headends IP address for each tunnel (from item 9 under step G.2 - Create an IPSec Connection). |
Tunnel 1 headend IP address Tunnel 2 headend IP address |
The shared secret for each tunnel (from item 10 under step G.2 - Create an IPSec Connection). |
Tunnel 1 shared secret Tunnel 2 shared secret |
If using BGP: the Inside Tunnel Interface – Oracle for both tunnels (Items 6 and 7 under step G.2 – Create an IPSec Connection). Also provide Oracle ASN 31898. |
Oracle inside tunnel 1 interface Oracle inside tunnel 2 insterface |
If using static: the VCN's subnet and subnet mask. From Table 3 question 1. |
|
The general IPSec parameters supported by Oracle. Any parameter not specified in Table 1 is not supported. Please make sure when you configure your device you use supported parameters otherwise the tunnel will not be established between your CPE and the Oracle DRG. |
|
Single encryption domain |
Single sumarized (supernet) customer network or default route and VCN’s subnet or default route. |
Oracle has verified some devices and software for use with Oracle Cloud Infrastructure VPN Connect. See information on questions 2 and 3 from Table 3 and compare to the Verified CPE Devices table. This page also provides the full configuration for that particular device model. If your CPE device is not on this list, refer to the Generic CPE Configuration Information. |
|
IMPORTANT: Be sure to have your network engineer configure your CPE device to support both of the tunnels in case one fails or Oracle takes one down for maintenance. Cisco ASA policy-based configuration uses a single tunnel.
After the network engineer configures your CPE device, you need to verify the configuration and making sure the two tunnels are up, they are passing traffic and there is communication end to end.
For the tunnels to come up, generally you need to send interesting traffic through the tunnel. Interesting traffic usually refers to traffic that is part of the encryption domain for the IPSec tunnel. You will need a compute instance within your VCN to respond to a request from your premises network. If you do not have one see Creating an Instance. Once the instance is in place initiate a ping from your on-premises network to the instance within the VCN.
If everything was configured properly you should see the following results:
1) Your network engineer confirms the two tunnels are up from your CPE device
2) From the Oracle console you can verify the tunnels status is green
3) You see response to the ping test.
This is a basic test which will proof your tunnel configuration is good, routing at both ends is working, and any security list is open for this traffic.
If you encounter problems then you need to start troubleshooting the following areas:
The IPSec VPN – Make sure the shared secret, IP addresses for the VPN end points is accurate, the IPSec parameters match, and a single encryption domain is configured.
Check routing on both sides of the tunnel, check the routing tables for the VCN’s subnets are pointing to the DRG. Check the IPSec Connection is configured properly for dynamic or static routing. Check the routing on your on-premises network and CPE.
Check security lists to make sure you are allowing ping for the initial test and for the traffic flow required between your on-premises network and your VCN.
For additional troubleshooting tips see VPN Connect Troubleshooting.
For additional information see IPSec VPN Best Practices white paper. Also consider these quick points.
Configure all tunnels for every VPN Connect: Oracle deploys two IPSec headends for all your connections to provide high availability for your mission-critical workloads. (Exception: Cisco ASA policy-based configuration, which uses a single tunnel.)
Have redundant CPEs in your on-premises locations: Each of your sites that connects with VPN Connect to Oracle Cloud Infrastructure should have redundant CPE devices. You add each CPE to the Oracle Console and create a separate IPSec connection between your DRG and each CPE. For each IPSec connection, Oracle provisions two tunnels on geographically redundant IPSec headends.
Note that the DRG routes learned from the IPSec connections are only used by traffic you route from your VCN to your DRG. If you advertise the default route as a less specific route over VPN Connect, the default route will only be used by traffic sent to your DRG whose destination IP address does not match the more specific routes of any of your tunnels.
For redundancy use cases using VPN Connect see Connectivity Redundancy Guide white paper.
For more information about the different products referenced in this document use the links in Table 1.
Table 6. Additional resources
Previous Post
Next Post