X

Best Practices from Oracle Development's A‑Team

VPN Connect - Simple Implementation - Part 2/2

Javier Ramirez
Senior Network Architect

Before You Get Started

It is very important that you align network resources within your organization to perform the work and also that you gather the required information in order to complete VPN Connect configuration without any problems. Table 3 provides you a list of the information you will require.

Table 3. Required information before you start

 

Question

Answer

1

What is your VCN's subnet allocation?

 

2

What is the model of your CPE device?

 

3

What is the software version of your CPE device?

 

4

What is the public IP address of your CPE device? If you have multiple devices for redundancy, get the IP address for each device.

 

5

Is your CPE device behind a NAT device?

(Y/N)

5.1

If yes what is the private IP address of your CPE device(s)? Please note that in question 4 you need to provide the public IP address.

 

6

Will you be doing port address translation (PAT) between CPE device and your VCN?

(Y/N)

7

What type of routing do you plan to use?

Static or BGP

8

If using BGP dynamic routing, what are the BGP session subnets (/31) to use for each tunnel? - The subnets must be part of the encryption domain.

Tunnel 1 subnet:

Tunnel 2 subnet:

8.1

What is the ASN # of your network?

 

9

If using static routing, what are the subnets for your on-premises network?

 

10

Do you want to provide each tunnel's shared secret or let Oracle assign them?

(Own or Oracle)

 

Draw a diagram of your network layout using Figure 6 and 7 as an example. Think about which parts of your on-premises network need to communicate with your VCN, and the reverse. Map out the routing and security lists that you need for your VCN. You can use the attached sample diagram for your reference.

Figure 6. Sample diagram

Figure 7. Sample diagram behind NAT device

Sample Diagrams

Implementation

The majority of VPN Connect configuration is done from the Oracle Console or via API. We strongly recommend these tasks to be performed by your network team because of the knowledge they have about your network.

IMPORTANT: Keep in mind that whoever is configuring VPN Connect from the Oracle Console, must have the required permission to create and manage the cloud network components. Please check with your Cloud administrator to have the required permissions. For information about access to your cloud network components, see Access Control.

Also consider reading the topics below so you will be familiar with the following concepts and definitions:

When configuring the different components, you can optionally assign a descriptive name to each of them. These names don't have to be unique, although it's a best practice to use unique names across your tenancy. Oracle automatically assigns each component an identification number called Oracle Cloud ID (OCID). For more information, see Resource Identifiers. The OCID is very important when requesting support.

WARNING: Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Configuration Overview

Here is the overall process for setting up VPN Connect.

  • Steps A through D, are prerequisites for VPN Connect and this guide assumes you already have them in place. If not follow the links provided to configure them.

  • Steps E and F, will need to be created or modified depending of your current environment. If they do not exist, follow the links provided to configure them.

  • Steps G and H are the actual configuration of VPN Connect.

Table 4. Configuration overview

Step

Description

Component

A

Create your VCN. This is the core component for your cloud deployment. It has to be designed carefully based on your requirements. For more information and how to deploy see VCNs and Subnets.

B

Create a DRG. This is a required component to deploy VPN Connect. The DRG will allow your VCN to talk to your on-premises network. For more information and how to deploy see Dynamic Routing Gateways.

C

Attach the DRG to your VCN. This is a very important step as without attaching the DRG to your VCN traffic will not flow to your on-premises network. See Dynamic Routing Gateways under the Using the Console section for instructions how to attach it.

 

D

Create subnets in the VCN. In this step you can identify what subnets will need to talk to your on-premises network or define them. If the Subnets are already created, note the route table and security list associated with them as in the next steps you will need to modify them. For more details about Subnets see VCNs and Subnets.

E

Create/modify a route table and add route rule. This is required to tell the subnets within your VCN how to connect to your on-premises network. You can create a new one or use an existing route table. The route rule you need to add will specify your on-premises subnets as the destination and will point to the DRG as the target type. See Route Tables for more information and how to configure it.

F

Create/modify a security list and add/update rules. This is required to allow the subnets within your VCN to talk to your on-premises network. The rules are based on the application flows required. You can create a new one or use an existing security list. See Security Lists for more information and how to configure it.

G

Create VPN Connect – Step by Step instructions are in the next section.

1.     Create a CPE object.

2.     Create an IPSec connection

Subcomponents of

H

Configure your CPE device: Your network engineer must configure your CPE device with information that Oracle provides during the previous steps. There is general information about the VCN, and specific information for each IPSec tunnel. This is the only part of the setup that you can't execute by using the Oracle Console or API. Without this configuration, traffic will not flow between your VCN and on-premises network. Refer to the section below for more details.

I

Validate connectivity - Refer to the section below for more details.

 

 

Step G.1 - Create a CPE Object

In this task, you create the CPE object, which is a virtual representation of your CPE device (5). You will need to create one CPE object per CPE on your on-premises network. You will need to repeat these steps for each CPE you wish to connect with VPN Connect. Follow the steps below to complete this step:

  1. Log into the Oracle Cloud Console and enter your login credentials.
  2. Open the navigation menu. Under Core Infrastructure, go to Networking and click Customer-Premises Equipment.
  3. Click Create Customer-Premises Equipment.
  4. Enter the following values:
    • Create in Compartment: Leave as is (the VCN's compartment).
    • Name: A descriptive name for the CPE object. It doesn't have to be unique, and it cannot be changed at later time in the Console (but you can change it with the API). Avoid entering confidential information.
    • IP Address: The public IP address of the CPE device at your end of the VPN (see information on question 4 on Table 3).
    • Tags: Leave as is. You can add tags later if you want. For more information, see Resource Tags.
  5. Click Create.

The CPE object is now created and displayed on the page. Next create the IPSec connection.

Step G.2 - Create an IPSec Connection

On the previous step you created a representation of your CPE. On this step you create the connection between the CPE Object and the DRG by creating an IPSec connection. This creates the IPSec tunnels (7 & 8) and specify the type of routing for each tunnel: BGP dynamic routing or static routing. There is section for each type of routing so make sure you follow the correct section. Follow the steps below to complete this step:

IPSec Connection Using BGP Routing

In this example, you configure both tunnels to use BGP dynamic routing.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click IPSec Connections.
  2. Click Create IPSec Connection.
  3. Enter the following values:
    • Create in Compartment: Leave as is (the VCN's compartment).
    • Name: Enter a descriptive name for the IPSec connection. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
    • Customer-Premises Equipment Compartment: Leave as is (the VCN's compartment).
    • Customer-Premises Equipment: Select the CPE object that you created in the previous step.
    • Dynamic Routing Gateway Compartment: Leave as is (the VCN's compartment).
    • Dynamic Routing Gateway: Select the DRG attached to your VCN.
    • Static Route CIDR: Leave empty because this IPSec connection uses BGP dynamic routing. You configure the two tunnels to use BGP in subsequent steps.
  4. Click Show Advanced Options.
  5. On the CPE IKE Identifier tab (optional): Oracle defaults to using the public IP address of your CPE. But if your CPE is behind a NAT device section above, you might need to enter a different value (see information from question 5.1 on Table 3). You can either enter the new value now, or change the value later.
  6. On the Tunnel 1 tab (required):
    • Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
    • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this check box and enter the shared secret. The shared secret can be change later.
    • Routing Type: Select the radio button for BGP Dynamic Routing.
    • BGP ASN: Enter your network's ASN.
    • Inside Tunnel Interface - CPE: You need to provide a /30 or /31 subnet to address both ends of the BGP connection. Enter the first IP address of the subnet assigned for your CPE end of the tunnel. For example: 10.0.0.16/31. The IP address must be part of the IPSec VPN's encryption domain.
    • Inside Tunnel Interface - Oracle: Enter the second IP address of the subnet assigned for the Oracle end of the tunnel. For example: 10.0.0.17/31.
  7. On the Tunnel 2 tab (required):
    • Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
    • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this check box and enter the shared secret. The shared secret can be change later.
    • Routing Type: Select the radio button for BGP Dynamic Routing.
    • BGP ASN: Enter your network's ASN.
    • Inside Tunnel Interface - CPE: You need to provide a /30 or /31 subnet to address both ends of the BGP connection, this subnet is different than for tunnel 1. Enter the first IP address of the subnet assigned for your CPE end of the tunnel. For example: 10.0.0.18/31. The IP address must be part of the IPSec VPN's encryption domain.
    • Inside Tunnel Interface - Oracle: Enter the second IP address of the subnet assigned for the Oracle end of the tunnel. Use a different IP address than for tunnel 1. For example: 10.0.0.19/31.
  8. On the Tags tab (optional): Leave as is. You can add tags later if you want. For more information, see Resource Tags.
  9. Click Create IPSec Connection.

The IPSec connection is created and displayed on the page. It will be in the Provisioning state for a short period.

The displayed tunnel information includes:

  • The Oracle VPN headend IP address for each tunnel.

  • The tunnel's IPSec status (possible values are Up, Down, and Down for Maintenance) and BGP status. At this point, the status is Down.

  1. To view the tunnel's shared secret, click the tunnel to view its details, and then click Show next to Shared Secret.
  2. Copy the Oracle VPN IP address and shared secret for each of the tunnels to an email or other location so you can deliver it to the network engineer who will configure your CPE device.

You have now created all the components required for VPN Connect in the Oracle side. Next step is for your network engineer to configure your CPE device to complete the configuration before network traffic can flow between your on-premises network and VCN.

IPSec Connection Using Static Routing

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click IPSec Connections.
  2. Click Create IPSec Connection.
  3. Enter the following values:
    • Create in Compartment: Leave as is (the VCN's compartment).
    • Name: Enter a descriptive name for the IPSec connection. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
    • Customer-Premises Equipment Compartment: Leave as is (the VCN's compartment).
    • Customer-Premises Equipment: Select the CPE object that you created earlier.
    • Dynamic Routing Gateway Compartment: Leave as is (the VCN's compartment).
    • Dynamic Routing Gateway: Select the DRG that you created earlier.
    • Static Route CIDR: Enter at least one subnet for your on-premises network (see question 1 on Table 3). You can enter up to 10 subnets, and you can change the subnets later if you like.
  4. Click Show Advanced Options.
  5. On the CPE IKE Identifier tab (optional): Oracle defaults to using the public IP address of your CPE. But if your CPE is behind a NAT device, you might need to enter a different value (see information from question 5.1 on Table 3). You can either enter the new value now, or change the value later.
  6. On the Tunnel 1 tab (optional):
    • Tunnel Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
    • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this check box and enter the shared secret. You can change the shared secret later.
    • Routing Type: Leave the radio button for Static Routing selected.
    • Inside Tunnel Interface – CPE (optional): You can provide a /30 or /31 subnet for the purposes of tunnel troubleshooting or monitoring. Enter the first IP address of the subnet assigned for your CPE end of the tunnel. For example: 10.0.0.16/31. The IP address must be part of the IPSec VPN's encryption domain.
    • Inside Tunnel Interface – Oracle (optional): Enter the second IP address of the subnet assigned for the Oracle end of the tunnel. For example: 10.0.0.17/31.
  7. On the Tunnel 2 tab (optional):
    • Tunnel Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later if you like. Avoid entering confidential information.
    • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this check box and enter the shared secret. You can change the shared secret later.
    • Routing Type: Leave the radio button for Static Routing selected.
    • Inside Tunnel Interface – CPE (optional): You can to provide a /30 or /31 subnet for the purposes of tunnel troubleshooting or monitoring, this subnet is different than for tunnel 1. Enter the first IP address of the subnet assigned for your CPE end of the tunnel. For example: 10.0.0.18/31. The IP address must be part of the IPSec VPN's encryption domain.
    • Inside Tunnel Interface - Oracle(optional): Enter the second IP address of the subnet assigned for the Oracle end of the tunnel. Use a different IP address than for tunnel 1. For example: 10.0.0.19/31.
  8. Tags: Leave as is. You can add tags later if you want. For more information, see Resource Tags.
  9. Click Create IPSec Connection.

The IPSec connection is created and displayed on the page. It will be in the Provisioning state for a short period.

The displayed tunnel information includes:

  • The Oracle VPN headend IP address for each tunnel.

  • The tunnel's IPSec status (possible values are Up, Down, and Down for Maintenance). At this point, the status is Down.

  1. To view the tunnel's shared secret, click the tunnel to view its details, and then click Show next to Shared Secret.
  2. Copy the Oracle VPN IP address and shared secret for each of the tunnels to an email or other location so you can deliver it to the network engineer who will configure the CPE device.

You have now created all the components required for VPN Connect in the Oracle side. Next step is for your network engineer to configure your CPE device to complete the configuration before network traffic can flow between your on-premises network and your VCN.

Step H - Configure you CPE Device

This section is performed by your network engineer. It explains how to configure your on-premises device (the customer-premises equipment, or CPE) at your end of the VPN Connect connection so traffic can flow between your on-premises network and the virtual cloud network (VCN). Bellow you will find some things to consider and will point to our public documentation where you can find more specific information about your CPE device model.

Information About Your CPE Device

You need some basic information like IP address about the outside interfaces of your on-premises device (your CPE). Refer to the information gather on Table 3 question 4. This is the IP address used to configured the IPSec tunnel. Typically, it is a public IP address if the CPE is not sitting behind a NAT device.

If your CPE is behind a NAT device, you can provide Oracle with the private IP address of your CPE which will be used as the CPE's IKE identifier. For more information, see Your CPE Is Behind a NAT Device section above.

Oracle recommends that you disable NAT-Traversal (NAT-T) at your CPE when establishing IPSec tunnels with Oracle Cloud Infrastructure. Unless you have multiple CPEs sharing the same NAT IP, NAT-T is not required.

Configuring your CPE

To complete the configuration for VPN Connect, your network engineer needs to configure your CPE. Please provide him/her with the following information:

Table 5. Required information to configure CPE

Description

Value

Tunnel Name: A short name to identify this connection.

For example, OCI-Dev

The Oracle VPN headends IP address for each tunnel (from item 9 under step G.2 - Create an IPSec Connection).

Tunnel 1 headend IP address

Tunnel 2 headend IP address

The shared secret for each tunnel (from item 10 under step G.2 - Create an IPSec Connection).

Tunnel 1 shared secret

Tunnel 2 shared secret

If using BGP: the Inside Tunnel Interface – Oracle for both tunnels (Items 6 and 7 under step G.2 – Create an IPSec Connection). Also provide Oracle ASN 31898.

Oracle inside tunnel 1 interface

Oracle inside tunnel 2 insterface

If using static: the VCN's subnet and subnet mask. From Table 3 question 1.

 

The general IPSec parameters supported by Oracle. Any parameter not specified in Table 1 is not supported. Please make sure when you configure your device you use supported parameters otherwise the tunnel will not be established between your CPE and the Oracle DRG.

 

Single encryption domain

Single sumarized (supernet) customer network or default route and VCN’s subnet or default route.

Oracle has verified some devices and software for use with Oracle Cloud Infrastructure VPN Connect. See information on questions 2 and 3 from Table 3 and compare to the Verified CPE Devices table. This page also provides the full configuration for that particular device model. If your CPE device is not on this list, refer to the Generic CPE Configuration Information.

 

IMPORTANT: Be sure to have your network engineer configure your CPE device to support both of the tunnels in case one fails or Oracle takes one down for maintenance. Cisco ASA policy-based configuration uses a single tunnel.

Step I - Validate Connectivity

After the network engineer configures your CPE device, you need to verify the configuration and making sure the two tunnels are up, they are passing traffic and there is communication end to end.

For the tunnels to come up, generally you need to send interesting traffic through the tunnel. Interesting traffic usually refers to traffic that is part of the encryption domain for the IPSec tunnel. You will need a compute instance within your VCN to respond to a request from your premises network. If you do not have one see Creating an Instance. Once the instance is in place initiate a ping from your on-premises network to the instance within the VCN.

If everything was configured properly you should see the following results:

1)     Your network engineer confirms the two tunnels are up from your CPE device

2)     From the Oracle console you can verify the tunnels status is green

3)     You see response to the ping test.

This is a basic test which will proof your tunnel configuration is good, routing at both ends is working, and any security list is open for this traffic.

If you encounter problems then you need to start troubleshooting the following areas:

  • The IPSec VPN – Make sure the shared secret, IP addresses for the VPN end points is accurate, the IPSec parameters match, and a single encryption domain is configured.

  • Check routing on both sides of the tunnel, check the routing tables for the VCN’s subnets are pointing to the DRG. Check the IPSec Connection is configured properly for dynamic or static routing. Check the routing on your on-premises network and CPE.

  • Check security lists to make sure you are allowing ping for the initial test and for the traffic flow required between your on-premises network and your VCN.

  • For additional troubleshooting tips see VPN Connect Troubleshooting.

Best Practices

For additional information see IPSec VPN Best Practices white paper. Also consider these quick points.

  • Configure all tunnels for every VPN Connect: Oracle deploys two IPSec headends for all your connections to provide high availability for your mission-critical workloads. (Exception: Cisco ASA policy-based configuration, which uses a single tunnel.)

  • Have redundant CPEs in your on-premises locations: Each of your sites that connects with VPN Connect to Oracle Cloud Infrastructure should have redundant CPE devices. You add each CPE to the Oracle Console and create a separate IPSec connection between your DRG and each CPE. For each IPSec connection, Oracle provisions two tunnels on geographically redundant IPSec headends.

  • Note that the DRG routes learned from the IPSec connections are only used by traffic you route from your VCN to your DRG. If you advertise the default route as a less specific route over VPN Connect, the default route will only be used by traffic sent to your DRG whose destination IP address does not match the more specific routes of any of your tunnels.

Redundancy

For redundancy use cases using VPN Connect see Connectivity Redundancy Guide white paper.

Reference

For more information about the different products referenced in this document use the links in Table 1.

Table 6. Additional resources

Product

Reference

VPN Connect

https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingIPsec.htm

VCN

https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingVCNs.htm

DRG

https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingDRGs.htm

IPSec VPN Best Practices

http://cloud-sites.oracle.com/iaas/whitepapers/ipsec_vpn_best_practices.pdf

Connectivity Redundancy Guide

http://cloud-sites.oracle.com/iaas/whitepapers/connectivity_redundancy_guide.pdf

FastConnect

https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/fastconnect.htm

 

Review:

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha