Before You Get Started

It is very important that you align network resources within your organization to perform the work and also that you gather the required information in order to complete VPN Connect configuration without any problems. Table 3 provides you a list of the information you will require.

Table 3. Required information before you start

Draw a diagram of your network layout using Figure 6 and 7 as an example. Think about which parts of your on-premises network need to communicate with your VCN, and the reverse. Map out the routing and security lists that you need for your VCN. You can use the attached sample diagram for your reference.

Figure 6. Sample diagram

Figure 7. Sample diagram behind NAT device

Sample Diagrams

Implementation

The majority of VPN Connect configuration is done from the Oracle Console or via API. We strongly recommend these tasks to be performed by your network team because of the knowledge they have about your network.

IMPORTANT: Keep in mind that whoever is configuring VPN Connect from the Oracle Console, must have the required permission to create and manage the cloud network components. Please check with your Cloud administrator to have the required permissions. For information about access to your cloud network components, see Access Control.

Also consider reading the topics below so you will be familiar with the following concepts and definitions:

• The fundamentals of Oracle Cloud Infrastructure

• The basic Networking service components

• If you required more details about IPSec technology, we recommend General IPSec VPN tunnel functionality

When configuring the different components, you can optionally assign a descriptive name to each of them. These names don't have to be unique, although it's a best practice to use unique names across your tenancy. Oracle automatically assigns each component an identification number called Oracle Cloud ID (OCID). For more information, see Resource Identifiers. The OCID is very important when requesting support.

WARNING: Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Configuration Overview

Here is the overall process for setting up VPN Connect.

• Steps A through D, are prerequisites for VPN Connect and this guide assumes you already have them in place. If not follow the links provided to configure them.

• Steps E and F, will need to be created or modified depending of your current environment. If they do not exist, follow the links provided to configure them.

• Steps G and H are the actual configuration of VPN Connect.

Table 4. Configuration overview

Step G.1 - Create a CPE Object

In this task, you create the CPE object, which is a virtual representation of your CPE device (5). You will need to create one CPE object per CPE on your on-premises network. You will need to repeat these steps for each CPE you wish to connect with VPN Connect. Follow the steps below to complete this step:

1. Log into the Oracle Cloud Console and enter your login credentials.
2. Open the navigation menu. Under Core Infrastructure, go to Networking and click Customer-Premises Equipment.
2. Click Create Customer-Premises Equipment.
3. Enter the following values:
   • Create in Compartment: Leave as is (the VCN's compartment).
   • Name: A descriptive name for the CPE object. It doesn't have to be unique, and it cannot be changed at later time in the Console (but you can change it with the API). Avoid entering confidential information.
   • IP Address: The public IP address of the CPE device at your end of the VPN (see information on question 4 on Table 3).
   • Tags: Leave as is. You can add tags later if you want. For more information, see Resource Tags.
4. Click Create.

The CPE object is now created and displayed on the page. Next create the IPSec connection.

Step G.2 - Create an IPSec Connection

On the previous step you created a representation of your CPE. On this step you create the connection between the CPE Object and the DRG by creating an IPSec connection. This creates the IPSec tunnels (7 & 8) and specify the type of routing for each tunnel: BGP dynamic routing or static routing. There is section for each type of routing so make sure you follow the correct section. Follow the steps below to complete this step:

IPSec Connection Using BGP Routing

In this example, you configure both tunnels to use BGP dynamic routing.

1. Open the navigation menu. Under Core Infrastructure, go to Networking and click IPSec Connections.
2. Click Create IPSec Connection.
3. Enter the following values:
   • Create in Compartment: Leave as is (the VCN's compartment).
   • Name: Enter a descriptive name for the IPSec connection. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
   • Customer-Premises Equipment Compartment: Leave as is (the VCN's compartment).
   • Customer-Premises Equipment: Select the CPE object that you created in the previous step.
   • Dynamic Routing Gateway Compartment: Leave as is (the VCN's compartment).
   • Dynamic Routing Gateway: Select the DRG attached to your VCN.
   • Static Route CIDR: Leave empty because this IPSec connection uses BGP dynamic routing. You configure the two tunnels to use BGP in subsequent steps.
4. Click Show Advanced Options.
5. On the CPE IKE Identifier tab (optional): Oracle defaults to using the public IP address of your CPE. But if your CPE is behind a NAT device section above, you might need to enter a different value (see information from question 5.1 on Table 3). You can either enter the new value now, or change the value later.
6. On the Tunnel 1 tab (required):
   • Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
   • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this check box and enter the shared secret. The shared secret can be change later.
   • Routing Type: Select the radio button for BGP Dynamic Routing.
   • BGP ASN: Enter your network's ASN.
   • Inside Tunnel Interface - CPE: You need to provide a /30 or /31 subnet to address both ends of the BGP connection. Enter the first IP address of the subnet assigned for your CPE end of the tunnel. For example: 10.0.0.16/31. The IP address must be part of the IPSec VPN's encryption domain.
   • Inside Tunnel Interface - Oracle: Enter the second IP address of the subnet assigned for the Oracle end of the tunnel. For example: 10.0.0.17/31.
7. On the Tunnel 2 tab (required):
   • Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
   • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this check box and enter the shared secret. The shared secret can be change later.
   • Routing Type: Select the radio button for BGP Dynamic Routing.
   • BGP ASN: Enter your network's ASN.
   • Inside Tunnel Interface - CPE: You need to provide a /30 or /31 subnet to address both ends of the BGP connection, this subnet is different than for tunnel 1. Enter the first IP address of the subnet assigned for your CPE end of the tunnel. For example: 10.0.0.18/31. The IP address must be part of the IPSec VPN's encryption domain.
   • Inside Tunnel Interface - Oracle: Enter the second IP address of the subnet assigned for the Oracle end of the tunnel. Use a different IP address than for tunnel 1. For example: 10.0.0.19/31.
8. On the Tags tab (optional): Leave as is. You can add tags later if you want. For more information, see Resource Tags.
9. Click Create IPSec Connection.

The IPSec connection is created and displayed on the page. It will be in the Provisioning state for a short period.

The displayed tunnel information includes:

• The Oracle VPN headend IP address for each tunnel.

• The tunnel's IPSec status (possible values are Up, Down, and Down for Maintenance) and BGP status. At this point, the status is Down.

10. To view the tunnel's shared secret, click the tunnel to view its details, and then click Show next to Shared Secret.
11. Copy the Oracle VPN IP address and shared secret for each of the tunnels to an email or other location so you can deliver it to the network engineer who will configure your CPE device.

You have now created all the components required for VPN Connect in the Oracle side. Next step is for your network engineer to configure your CPE device to complete the configuration before network traffic can flow between your on-premises network and VCN.

IPSec Connection Using Static Routing

1. Open the navigation menu. Under Core Infrastructure, go to Networking and click IPSec Connections.
2. Click Create IPSec Connection.
3. Enter the following values:
   • Create in Compartment: Leave as is (the VCN's compartment).
   • Name: Enter a descriptive name for the IPSec connection. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
   • Customer-Premises Equipment Compartment: Leave as is (the VCN's compartment).
   • Customer-Premises Equipment: Select the CPE object that you created earlier.
   • Dynamic Routing Gateway Compartment: Leave as is (the VCN's compartment).
   • Dynamic Routing Gateway: Select the DRG that you created earlier.
   • Static Route CIDR: Enter at least one subnet for your on-premises network (see question 1 on Table 3). You can enter up to 10 subnets, and you can change the subnets later if you like.
4. Click Show Advanced Options.
5. On the CPE IKE Identifier tab (optional): Oracle defaults to using the public IP address of your CPE. But if your CPE is behind a NAT device, you might need to enter a different value (see information from question 5.1 on Table 3). You can either enter the new value now, or change the value later.
6. On the Tunnel 1 tab (optional):
   • Tunnel Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
   • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this check box and enter the shared secret. You can change the shared secret later.
   • Routing Type: Leave the radio button for Static Routing selected.
   • Inside Tunnel Interface – CPE (optional): You can provide a /30 or /31 subnet for the purposes of tunnel troubleshooting or monitoring. Enter the first IP address of the subnet assigned for your CPE end of the tunnel. For example: 10.0.0.16/31. The IP address must be part of the IPSec VPN's encryption domain.
   • Inside Tunnel Interface – Oracle (optional): Enter the second IP address of the subnet assigned for the Oracle end of the tunnel. For example: 10.0.0.17/31.
7. On the Tunnel 2 tab (optional):
   • Tunnel Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
   • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this check box and enter the shared secret. You can change the shared secret later.
   • Routing Type: Leave the radio button for Static Routing selected.
   • Inside Tunnel Interface – CPE (optional): You can to provide a /30 or /31 subnet for the purposes of tunnel troubleshooting or monitoring, this subnet is different than for tunnel 1. Enter the first IP address of the subnet assigned for your CPE end of the tunnel. For example: 10.0.0.18/31. The IP address must be part of the IPSec VPN's encryption domain.
   • Inside Tunnel Interface - Oracle(optional): Enter the second IP address of the subnet assigned for the Oracle end of the tunnel. Use a different IP address than for tunnel 1. For example: 10.0.0.19/31.
8. Tags: Leave as is. You can add tags later if you want. For more information, see Resource Tags.
9. Click Create IPSec Connection.

The IPSec connection is created and displayed on the page. It will be in the Provisioning state for a short period.

The displayed tunnel information includes:

• The Oracle VPN headend IP address for each tunnel.

• The tunnel's IPSec status (possible values are Up, Down, and Down for Maintenance). At this point, the status is Down.

10. To view the tunnel's shared secret, click the tunnel to view its details, and then click Show next to Shared Secret.
11. Copy the Oracle VPN IP address and shared secret for each of the tunnels to an email or other location so you can deliver it to the network engineer who will configure the CPE device.

You have now created all the components required for VPN Connect in the Oracle side. Next step is for your network engineer to configure your CPE device to complete the configuration before network traffic can flow between your on-premises network and your VCN.

Step H - Configure you CPE Device

This section is performed by your network engineer. It explains how to configure your on-premises device (the customer-premises equipment, or CPE) at your end of the VPN Connect connection so traffic can flow between your on-premises network and the virtual cloud network (VCN). Below you will find some things to consider and will point to our public documentation where you can find more specific information about your CPE device model.

Information About Your CPE Device

You need some basic information like IP address about the outside interfaces of your on-premises device (your CPE). Refer to the information gather on Table 3 question 4. This is the IP address used to configured the IPSec tunnel. Typically, it is a public IP address if the CPE is not sitting behind a NAT device.

If your CPE is behind a NAT device, you can provide Oracle with the private IP address of your CPE which will be used as the CPE's IKE identifier. For more information, see Your CPE Is Behind a NAT Device section above.

Oracle recommends that you disable NAT-Traversal (NAT-T) at your CPE when establishing IPSec tunnels with Oracle Cloud Infrastructure. Unless you have multiple CPEs sharing the same NAT IP, NAT-T is not required.

Configuring your CPE

To complete the configuration for VPN Connect, your network engineer needs to configure your CPE. Please provide him/her with the following information:

Table 5. Required information to configure CPE

IMPORTANT: Be sure to have your network engineer configure your CPE device to support both of the tunnels in case one fails or Oracle takes one down for maintenance. Cisco ASA policy-based configuration uses a single tunnel.

Step I - Validate Connectivity

After the network engineer configures your CPE device, you need to verify the configuration and making sure the two tunnels are up, they are passing traffic and there is communication end to end.

For the tunnels to come up, generally you need to send interesting traffic through the tunnel. Interesting traffic usually refers to traffic that is part of the encryption domain for the IPSec tunnel. You will need a compute instance within your VCN to respond to a request from your premises network. If you do not have one see Creating an Instance. Once the instance is in place initiate a ping from your on-premises network to the instance within the VCN.

If everything was configured properly you should see the following results:

1)     Your network engineer confirms the two tunnels are up from your CPE device

2)     From the Oracle console you can verify the tunnels status is green

3)     You see response to the ping test.

This is a basic test which will proof your tunnel configuration is good, routing at both ends is working, and any security list is open for this traffic.

If you encounter problems then you need to start troubleshooting the following areas:

• The IPSec VPN – Make sure the shared secret, IP addresses for the VPN end points is accurate, the IPSec parameters match, and a single encryption domain is configured.

• Check routing on both sides of the tunnel, check the routing tables for the VCN’s subnets are pointing to the DRG. Check the IPSec Connection is configured properly for dynamic or static routing. Check the routing on your on-premises network and CPE.

• Check security lists to make sure you are allowing ping for the initial test and for the traffic flow required between your on-premises network and your VCN.

• For additional troubleshooting tips see VPN Connect Troubleshooting.

Best Practices

For additional information see IPSec VPN Best Practices white paper. Also consider these quick points.

• Configure all tunnels for every VPN Connect: Oracle deploys two IPSec headends for all your connections to provide high availability for your mission-critical workloads. (Exception: Cisco ASA policy-based configuration, which uses a single tunnel.)

• Have redundant CPEs in your on-premises locations: Each of your sites that connects with VPN Connect to Oracle Cloud Infrastructure should have redundant CPE devices. You add each CPE to the Oracle Console and create a separate IPSec connection between your DRG and each CPE. For each IPSec connection, Oracle provisions two tunnels on geographically redundant IPSec headends.

• Note that the DRG routes learned from the IPSec connections are only used by traffic you route from your VCN to your DRG. If you advertise the default route as a less specific route over VPN Connect, the default route will only be used by traffic sent to your DRG whose destination IP address does not match the more specific routes of any of your tunnels.

Redundancy

For redundancy use cases using VPN Connect see Connectivity Redundancy Guide white paper.

Reference

For more information about the different products referenced in this document use the links in Table 1.

Table 6. Additional resources

Review:

• VPN Connect - Simple Implementation - Part 1/2