Access to Other Clouds with Libreswan

Libreswan is an open source IPSec implementation that is based on FreeS/WAN and Openswan. Most Linux distributions include Libreswan or make it easy to install. You can install it on hosts in either your on-premises network or a cloud provider network. This topic shows how to connect your Oracle Cloud Infrastructure virtual cloud network (VCN) with another cloud provider by using an IPSec VPN with a Libreswan VM as the customer-premises equipment (CPE).

In the example shown here, the other cloud provider is Amazon Web Services (AWS). The connection is a secure and encrypted site-to-site IPSec VPN between the Oracle and Amazon environments. It enables resources in the two clouds to communicate with each other using their private IP addresses as if they are in the same network segment.

A Libreswan CPE guide is also available for all other use cases.

Virtual tunnel interface (VTI) support for this route-based configuration requires minimum Libreswan version 3.18 and a recent Linux 3.x or 4.x kernel. This configuration was validated using Libreswan version 3.29.


The following diagram shows the general layout of the connection.

This image shows the general layout of two clouds connected with an IPSec VPN and Libreswan CPE.

Supported IPSec Parameters

For a vendor-neutral list of supported IPSec parameters for all regions, see Supported IPSec Parameters.

The Oracle BGP ASN for the commercial cloud is 31898. If you're configuring VPN Connect for the Government Cloud, see Required VPN Connect Parameters for Government Cloud and also Oracle's BGP ASN.



The configuration instructions in this section are provided by Oracle Cloud Infrastructure for Libreswan. If you need support or further assistance, consult the Libreswan documentation.

Libreswan supports both route-based and policy-based tunnels. The tunnel types can coexist without interfering with each other. The Oracle VPN headends use route-based tunnels. Oracle recommends that you configure Libreswan with the Virtual Tunnel Interface (VTI) configuration syntax.

Refer to Supported IPSec Parameters for more details about the specific parameters used in this document.

Default Libreswan Configuration Files

The default Libreswan installation creates the following files:

  • etc/ipsec.conf: The root of the Libreswan configuration.
  • /etc/ipsec.secrets: The root of the location where Libreswan looks for secrets (the tunnel pre-shared keys).
  • /etc/ipsec.d/: A directory for storing the .conf and .secrets files for your Oracle Cloud Infrastructure tunnels (for example: oci-ipsec.conf and oci-ipsec.secrets). Libreswan encourages you to create these files in this folder.

The default etc/ipsec.conf file includes this line:

include /etc/ipsec.d/*.conf

The default etc/ipsec.secrets file includes this line:

include /etc/ipsec.d/*.secrets

The preceding lines automatically merge all the.conf and .secrets files in the /etc/ipsec.d directory into the main configuration and secrets files that Libreswan uses.

About Using IKEv2

Oracle supports Internet Key Exchange version 1 (IKEv1) and version 2 (IKEv2). If you configure the IPSec connection in the Console to use IKEv2, you must configure your CPE to use only IKEv2 and related IKEv2 encryption parameters that your CPE supports. For a list of parameters that Oracle supports for IKEv1 or IKEv2, see Supported IPSec Parameters.

You specify the IKE version when setting up the IPSec configuration file in task 4 in the next section. In that example file, there's a comment showing how to configure IKEv1 versus IKEv2.

Configuration Process

Task 1: Prepare the AWS Libreswan instance
Task 2: Configure the Oracle Cloud Infrastructure DRG and CPE object
Task 3: Determine the required configuration values
Task 4: Set up the configuration file: /etc/ipsec.d/oci-ipsec.conf
Task 5: Set up the secrets file: /etc/ipsec.d/oci-ipsec.secrets
Task 6: Restart the Libreswan configuration
Task 7: Configure IP routing


A Monitoring service is also available from Oracle Cloud Infrastructure to actively and passively monitor your cloud resources. For information about monitoring your VPN Connect, see VPN Connect Metrics.

If you have issues, see VPN Connect Troubleshooting.

Checking the Libreswan Status

Check the current state of your Libreswan tunnels by using the following command:

ipsec status

The tunnel is established if you see a line that includes the following:

STATE_MAIN_I4: ISAKMP SA established

If you're using IKEv2, you see the following:

STATE_V2_IPSEC_I (IPsec SA established)

In the future, if you need to open a support ticket with Oracle about your Libreswan tunnel, include the output of the preceding ipsec status command.

Checking the Tunnel Interface Status

Check if the virtual tunnel interfaces are up or down by using the ifconfig command or the ip link show command. You can also use applications such as tcpdump with the interfaces.

Here's an example of the ifconfig output with a working Libreswan implementation that shows the available VTIs.

<output trimmed>
vti01: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8980
     inet6 2001:db8::1 prefixlen 64 scopeid 0x20<link>
     tunnel txqueuelen 1000 (IPIP Tunnel)
     RX packets 0 bytes 0 (0.0 B)
     RX errors 0 dropped 0 overruns 0 frame 0
     TX packets 0 bytes 0 (0.0 B)
     TX errors 10 dropped 0 overruns 0 carrier 10 collisions 0
vti02: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8980
     inet6 2001:db8::2 prefixlen 64 scopeid 0x20<link>
     tunnel txqueuelen 1000 (IPIP Tunnel)
     RX packets 0 bytes 0 (0.0 B)
     RX errors 0 dropped 0 overruns 0 frame 0
     TX packets 0 bytes 0 (0.0 B)
     TX errors 40 dropped 0 overruns 0 carrier 40 collisions 0

Here's an example of the ip link show output:

ip link show
<output trimmed>
9: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8980 qdisc noqueue
state UNKNOWN mode DEFAULT group default qlen 1000
   link/ipip peer
10: vti02@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8980 qdisc noqueue
state UNKNOWN mode DEFAULT group default qlen 1000
   link/ipip peer

Also, in the Oracle Console, each IPSec tunnel should now be in the UP state.