VPN Connect Quickstart

The VPN Connect workflow is the quickest way to set up a site-to-site VPN between your on-premises network and your virtual cloud network (VCN) . The workflow is a guided, step-by-step process in the Console that sets up the VPN plus related Networking service components.

Other secure VPN solutions include OpenVPN, a Client VPN solution that can be accessed in the Oracle Marketplace. OpenVPN connects individual devices to your VCN, but not whole sites or networks.

Purpose of the Workflow

VPN Connect involves setting up and configuring several Networking service components. The workflow sets up those components for you. In general, the workflow does the following:

  • Uses a template with assumptions that will help you get started.
  • Asks you for some basic network information.
  • Sets up the Networking service components for you.
  • Lets you generate configuration content for a network engineer to use when configuring your customer-premises equipment (CPE) device.

The workflow is a task within the overall process of setting up VPN Connect, which is illustrated in the following diagram. The workflow is the shaded box.

This image shows a flow diagram of the overall VPN Connect setup process.

Notice that the overall process includes work by a network engineer in your organization. That engineer provides information that you, in turn, must supply during the workflow. The workflow returns information that the network engineer needs when configuring your CPE device. You can use the CPE Configuration Helper to consolidate the necessary information into an organized template for the network engineer.

The following short sections summarize each task.

Task 1: Information to get from your network engineer
Tip

To make it easier to gather the following information, here is a PDF version of the list, which you can print.
  • CPE device's public IP address.
  • If the CPE is behind a NAT device, get the CPE IKE identifier. For more information, see Overview of the IPSec VPN Components.
  • On-premises network routes.
  • If you use BGP dynamic routing with the VPN:
    • Your network's BGP ASN
    • For each of the two IPSec tunnels that will be created, the pair of BGP IP addresses (with subnet mask) that you want to use for the inside tunnel interfaces at the ends of each tunnel. For example:
      • Tunnel 1: Inside tunnel interface - CPE: 10.0.0.8/31
      • Tunnel 1: Inside tunnel interface - Oracle: 10.0.0.9/31
      • Tunnel 2: Inside tunnel interface - CPE: 10.0.0.16/31
      • Tunnel 2: Inside tunnel interface - Oracle: 10.0.0.17/31
  • If you don't already have a VCN: The CIDR to use for the new VCN that will be created. For the workflow, the allowed VCN size is /16 to /24. The CIDR must not overlap with your on-premises network.
Task 2: Workflow

You walk through the workflow in the Console. For more information, see these sections:

Task 3: Information to give to your network engineer

You use the CPE Configuration Helper to generate configuration content that your network engineer can use to configure the CPE.

The content includes these items:

  • For each IPSec tunnel, the Oracle VPN IP address and shared secret.
  • The supported IPSec parameter values.
  • Information about the VCN.
  • CPE-specific configuration information.
Task 4: CPE configuration

Your network engineer takes the information you provide and configures your CPE device.

Task 5: Testing

You and the network engineer test the connection and confirm that traffic is flowing.

Alternative to the Workflow

If you prefer, you can manually set up VPN Connect yourself. For step-by-step instructions, see Setting Up VPN Connect.

What the Workflow Creates for You

Most Oracle customers who set up a VPN Connect already have a VCN to connect to their on-premises network. In that case, the workflow creates the numbered components in the following diagram. The table describes each component.

This image shows the Networking service components that are created for you.

Number Component Description Can Use Existing One or Create New One?
1 CPE A CPE is a virtual representation of your actual CPE device. This virtual representation contains basic information such as the CPE device's public IP address. Yes, you can either use an existing CPE or the workflow creates a new one.
2 Dynamic routing gateway (DRG) A DRG is a virtual representation of the actual router at the Oracle end of your VPN Connect. Yes. If you use an existing one, it must not already be attached to a VCN.
3 VCN Connect IPSec tunnels

The workflow creates two IPSec tunnels, each with specific configuration information that you must provide to your network engineer.

Note: The workflow uses IKEv1 for the tunnels. If you want to use IKEv2 instead, after creating the IPSec connection, edit each tunnel in the Oracle Console to use IKEv2. Then configure your CPE to use only IKEv2 and related IKEv2 encryption parameters that your CPE supports. For more information, see Using IKEv2.

No. The workflow automatically creates the tunnels.

In addition, during the workflow you specify which subnets in your VCN should be configured with access to the on-premises network. The workflow updates each subnet's route table and security rules as follows:

  • Route rules: The workflow adds one or more rules to route VCN traffic to your on-premises network by way of the DRG. There's one rule per on-premises network route that you provide in the workflow.
  • Security list rules: The workflow also adds one or more rules to allow all types of traffic from your on-premises network. There's one rule per on-premises network route that you provide in the workflow.

You can edit the rules and add more if you want.

After the workflow completes, you can use the CPE Configuration Helper to generate configuration content that your network engineer can use to configure the CPE.

If You Do Not Yet Have a VCN

If you prefer, the workflow can instead set up a new VCN and use it when setting up VPN Connect. In that case, the workflow also creates these resources:

  • VCN.
  • Internet gateway for the VCN. Although the internet gateway is not necessary for VPN Connect, the workflow creates it to make it easy for you to quickly access any instances or other cloud resources you later create in the VCN.
  • Regional public subnet  in the VCN.
  • Default route table. The workflow configures the subnet to use this route table and adds two types of rules:

    • One or more rules to route VCN traffic to your on-premises network by way of the DRG. There's one rule per on-premises network route that you provide in the workflow.
    • One rule to route the remaining VCN traffic to the internet by way of the internet gateway.
  • Default security list. The workflow configures the subnet to use this security list, which automatically comes with default rules to enable basic traffic flow. The workflow also adds these rules:

    • One or more rules to allow all types of traffic from your on-premises network. There's one rule per on-premises network route that you provide in the workflow. Notice that the security list does not include rules to allow ping.

After the workflow completes, you can modify the VCN's configuration in any way you want. For example, you could edit the route rules and security list rules, add more subnets, remove the internet gateway, and so on.

After the workflow completes, you can also use the CPE Configuration Helper to generate configuration content that your network engineer can use to configure the CPE.

Where to Access the Workflow in the Console

Option 1:

  1. In the Console, click the Oracle Cloud icon at the top of the page to go to the Console home page.

    The page has a Quick Actions section to take you directly to common tasks.

  2. Click the quick action for Networking: Set up a network with a wizard.
  3. Select VCN with VPN Connect and Internet Connectivity, and then click Start Workflow.

Option 2:

  1. Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
  2. Click Networking Quickstart.
  3. Select VCN with VPN Connect and Internet Connectivity, and then click Start Workflow.