Setting Up Site-to-Site VPN

In this example, you configure both tunnels to use BGP dynamic routing.

1. Open the navigation menu  and select Networking. Under Customer connectivity, select Site-to-Site VPN.
2. Click Create IPSec Connection.

3. Enter the following values:

   • Name: Enter a descriptive name for the IPSec connection. It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
   • Create in Compartment: Leave as is (the VCN's compartment).
   • Customer-Premises Equipment: Select the CPE object that you created earlier. If you are configuringIPSec over FastConnect, the CPE you choose must have a label confirming that IPSec over FastConnect is enabled for that CPE. BGP routing is preferred for connections that use IPSec over FastConnect. If necessary, select the checkbox to indicate that the CPE is behind a NAT device. If the checkbox is selected, provide the following information:
     • CPE IKE Identifier Type: Select the type of identifier that internet key exchange (IKE) uses to identify the CPE device. Either an FQDN or an IPv4 address can be an identifier.Oracle defaults to using the public IP address of the CPE. If your CPE is behind a NAT device, you might need to enter a different value. You can either enter the new value here, or change the value later.
     • CPE IKE Identifier: Enter the information that IKE uses to identify the CPE device.
   • Dynamic Routing Gateway Compartment: Leave as is (the VCN's compartment).
   • Dynamic Routing Gateway: Select the DRG that you created earlier.
   • Routes to your on-premises Network: Leave empty because this IPSec connection uses BGP dynamic routing. You configure the two tunnels to use BGP in subsequent steps.

4. For Tunnel 1 (required):

   • Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
   • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this checkbox and enter the shared secret. You can change the shared secret later.
   • IKE Version: The Internet Key Exchange (IKE) version to use for this tunnel. Only select IKEv2 if your CPE supports it. You must also then configure the CPE to use only IKEv2 for this tunnel.
   • Routing Type: Select BGP Dynamic Routing.
   • If your selected CPE supports IPSec over FastConnect, the following settings are required:
     • Oracle tunnel headend IP: Enter the IP address of the Oracle IPSec tunnel endpoint (the VPN headend). Oracle will advertise the VPN IP as a /32 host route via the FastConnect BGP session. If there is any address overlap with a VCN route this will take precedence due to longest prefix match.
     • Associated virtual circuit: Select a virtual circuit that was enabled for IPSec over FastConnect when it was created. The tunnel will be mapped to the chosen virtual circuit and the defined headend IP will only be reachable from on-premises via the associated virtual circuit.
     • DRG route table: Choose or create a DRG route table. To prevent any issues with recursive routing, the virtual circuit attachment and the IPSec tunnel attachment used for IPsec over FC must use different DRG route tables.
   • BGP ASN: Enter your network's ASN.
   • IPv4 Inside Tunnel Interface - CPE: Enter the BGP IPv4 address with subnet mask (either /30 or /31) for the CPE end of the tunnel. For example: 10.0.0.16/31. The IP address must be part of Site-to-Site VPN's encryption domain.
   • IPv4 Inside Tunnel Interface - Oracle: Enter the BGP IPv4 address with subnet mask (either /30 or /31) for the Oracle end of the tunnel. For example: 10.0.0.17/31. The IP address must be part of Site-to-Site VPN's encryption domain.
   • If you plan to use both IPv6 and IPv4, click Enable IPv6 and enter the following details:
     • IPv6 Inside Tunnel Interface - CPE: Enter the BGP IPv6 address with subnet mask (/126) for the CPE end of the tunnel. For example: 2001:db2::6/126. The IP address must be part of Site-to-Site VPN's encryption domain.
     • IPv6 Inside Tunnel Interface - Oracle: Enter the BGP IP address with subnet mask (/126) for the Oracle end of the tunnel. For example: 2001:db2::7/126. The IP address must be part of Site-to-Site VPN's encryption domain.
     • If you click Show Advanced Options you can change the following settings for Tunnel 1:
       • Oracle Initiation: This setting indicates whether the Oracle end of the IPSec connection is able to initiate starting up the IPSec tunnel. The default is Initiator or Responder. You can also choose to set the Oracle end to be a responder only which would require the CPE device to initiate the IPSec tunnel. Oracle recommends leaving this option at the default setting.
       • NAT-T Enabled: This setting indicates whether the CPE device is behind a NAT device. The default is Auto. The other options are Disabled and Enabled. Oracle recommends leaving this option at the default setting.
       • Enable Dead Peer Detection Timeout: Clicking this option allows you to periodically check the stability of the connection to the CPE, and detect that the CPE has gone down. If you select this option you can also select the longest interval between CPE device health messages before the IPSec connection indicates that it has lost contact with the CPE. The default is 20 seconds. Oracle recommends leaving this option at the default setting.
     • If you expand the Phase One (ISAKMP) Configuration section and click Set custom options, you can set the following optional settings (you must select one of each option):
       • Custom Encryption Algorithms: You can choose from the options provided in the pull-down menu.
       • Custom Authentication Algorithms: You can choose from the options provided in the pull-down menu.
       • Diffie-Hellman Groups: You can choose from the options provided in the pull-down menu.

       If the Set custom configurations checkbox is not selected, the default settings are proposed.

       To understand these options in more detail including the default proposals, see Supported IPSec Parameters.

     • IKE Session Key Lifetime in Seconds: The default is 28800 which is equivalent to 8 hours.
     • If you expand the Phase Two (IPSec) Configuration options and click Set custom options, you can set the following optional settings for Tunnel 1 (you must select an encryption algorithm):
       • Custom Encryption Algorithms: You can choose from the options provided in the pull-down menu. If you select an AES-CBC encryption algorithm, you must also select an authentication algorithm.
       • Custom Authentication Algorithms: You can choose from the options provided in the pull-down menu. The encryption algorithm you chose might have built-in authentication, in which case there is no selectable option.

       If the Set custom configurations checkbox is not selected, the default settings are proposed.

       For all Phase Two options, if you select a single option that option overrides the default set and be the only option proposed to the CPE device.

     • IPSec Session Key Lifetime in Seconds: The default is 3600 which is equivalent to 1 hour.
     • Enable Perfect Forward Secrecy: By default, this option is on. It allows you to choose the Perfect Forward Secrecy Diffie-Hellman Group. You can choose from the options provided in the pull-down menu. If you don't make a selection, GROUP5 is proposed.
5. On the Tunnel 2 tab you can use the same options described for Tunnel 1. You can also choose different options or choose to leave the tunnel unconfigured because your CPE device only supports a single tunnel.
6. You can click Show Tagging Options to add tags for the IPSec connection now, or add them later. For more information, see Resource Tags.

7. Click Create IPSec Connection.

   The IPSec connection is created and displayed on the page. It is in the Provisioning state for a short period.

   The displayed tunnel information includes:

   • The Oracle VPN IPv4 or IPv6 address (for the Oracle VPN headend).
   • The tunnel's IPSec status (possible values are Up, Down, and Down for Maintenance). At this point, the status is Down. Your network engineer must configure your CPE device before the tunnel or tunnels can be established.
   • The tunnel's BGP status. At this point, the status is Down. Your network engineer must configure your CPE device.

   To view the tunnel's shared secret, click the tunnel to view its details, and then click Show next to Shared Secret.

   You can also click the Phase Details tab to see the Phase One (ISAKMP) and Phase Two (IPSec) details for the tunnel.

8. Copy the Oracle VPN IP address and shared secret for each of the tunnels to an email or other location so you can deliver it to the network engineer who configures your CPE device.

   You can view this tunnel information here in the Console at any time.

You have now created all the components required for Site-to-Site VPN. Next, your network engineer must configure your CPE device before network traffic can flow between your on-premises network and VCN.

1. Open the navigation menu  and select Networking. Under Customer connectivity, select Site-to-Site VPN.
2. Click Create IPSec Connection.

3. Enter the following values:

   • Create in Compartment: Leave as is (the VCN's compartment).
   • Name: Enter a descriptive name for the IPSec connection. It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
   • Customer-Premises Equipment Compartment: Leave as is (the VCN's compartment).
   • Customer-Premises Equipment: Select the CPE object that you created earlier. If you are configuringIPSec over FastConnect, the CPE you choose must have a label confirming that IPSec over FastConnect is enabled for that CPE. IPSec over FastConnect is available for connections that use static routing, but is not recommended.
   • Dynamic Routing Gateway Compartment: Leave as is (the VCN's compartment).
   • Dynamic Routing Gateway: Select the DRG that you created earlier.
   • Static Route CIDR: Enter at least one static route CIDR (see the list of information to gather in Before You Get Started). For this example, enter 10.0.0.0/16. You can enter up to 10 static routes, and you can change the static routes later.
4. Click Show Advanced Options.
5. On the CPE IKE Identifier tab (optional): Oracle defaults to using the public IP address of the CPE. If your CPE is behind a NAT device, you might need to enter a different value. You can either enter the new value here, or change the value later.

6. On the Tunnel 1 tab (optional):

   • Tunnel Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
   • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this checkbox and enter the shared secret. You can change the shared secret later.
   • IKE Version: The Internet Key Exchange (IKE) version to use for this tunnel. Only select IKEv2 if your CPE supports it. You must also then configure the CPE to use only IKEv2 for this tunnel.
   • Routing Type: Leave the radio button for Static Routing selected.
   • Inside Tunnel Interface - CPE (optional): You can provide an IP address with subnet mask (either /30 or /31) for the CPE end of the tunnel for the purposes of tunnel troubleshooting or monitoring. For example: 10.0.0.16/31. The IP address must be part of Site-to-Site VPN's encryption domain.
   • Inside Tunnel Interface - Oracle (optional): You can provide an IP address with subnet mask (either /30 or /31) for the Oracle end of the tunnel for the purposes of tunnel troubleshooting or monitoring. For example: 10.0.0.17/31. The IP address must be part of Site-to-Site VPN's encryption domain.

7. On the Tunnel 2 tab (optional):

   • Tunnel Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
   • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this checkbox and enter the shared secret. You can change the shared secret later.
   • IKE Version: The Internet Key Exchange (IKE) version to use for this tunnel. Only select IKEv2 if your CPE supports it. You must also then configure the CPE to use only IKEv2 for this tunnel.
   • Routing Type: Leave the radio button for Static Routing selected.
   • Inside Tunnel Interface - CPE (optional): You can provide an IP address with subnet mask (either /30 or /31) for the CPE end of the tunnel for the purposes of tunnel troubleshooting or monitoring. Use a different IP address than for tunnel 1. For example: 10.0.0.18/31. The IP address must be part of Site-to-Site VPN's encryption domain.
   • Inside Tunnel Interface - Oracle (optional): You can provide an IP address with subnet mask (either /30 or /31) for the Oracle end of the tunnel for the purposes of tunnel troubleshooting or monitoring. Use a different IP address than for tunnel 1. For example: 10.0.0.19/31. The IP address must be part of Site-to-Site VPN's encryption domain.
8. Tags: Leave as is. You can add tags later if you want. For more information, see Resource Tags.

9. Click Create IPSec Connection.

   The IPSec connection is created and displayed on the page. It will be in the Provisioning state for a short period.

   The displayed tunnel information includes:

   • The Oracle VPN IP address (for the Oracle VPN headend).
   • The tunnel's IPSec status (possible values are Up, Down, and Down for Maintenance). At this point, the status is Down. Your network engineer still must configure your CPE device.

   To view the tunnel's shared secret, click the tunnel to view its details, and then click Show next to Shared Secret.

10. Copy the Oracle VPN IP address and shared secret for each of the tunnels to an email or other location so you can deliver it to the network engineer who will configure the CPE device.

    You can view this tunnel information here in the Console at any time.

You have now created all the components required for Site-to-Site VPN. Next, your network engineer must configure the CPE device before network traffic can flow between your on-premises network and VCN.

For more information, see CPE Configuration.

1. Open the navigation menu  and select Networking. Under Customer connectivity, select Site-to-Site VPN.
2. Click Create IPSec Connection.

3. Enter the following values:

   • Create in Compartment: Leave as is (the VCN's compartment).
   • Name: Enter a descriptive name for the IPSec connection. It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
   • Customer-Premises Equipment Compartment: Leave as is (the VCN's compartment).
   • Customer-Premises Equipment: Select the CPE object that you created earlier. If you are configuringIPSec over FastConnect, the CPE you choose must have a label confirming that IPSec over FastConnect is enabled for that CPE. IPSec over FastConnect is available for connections that use policy-based routing, but is not recommended.
   • Dynamic Routing Gateway Compartment: Leave as is (the VCN's compartment).
   • Dynamic Routing Gateway: Select the DRG that you created earlier.
   • Static Route CIDR: Enter at least one static route CIDR (see the list of information to gather in Before You Get Started). For this example, enter 10.0.0.0/16. You can enter up to 10 static routes, and you can change the static routes later.
4. Click Show Advanced Options.
5. On the CPE IKE Identifier tab (optional): Oracle defaults to using the public IP address of the CPE. If your CPE is behind a NAT device, you might need to enter a different value. You can either enter the new value here, or change the value later.

6. On the Tunnel 1 tab (optional):

   • Tunnel Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
   • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this checkbox and enter the shared secret. You can change the shared secret later.
   • IKE Version: The Internet Key Exchange (IKE) version to use for this tunnel. Only select IKEv2 if your CPE supports it. You must also then configure the CPE to use only IKEv2 for this tunnel.
   • Routing Type: Select the radio button for Policy-based routing.
   • On-premises: You can provide multiple IPv4 CIDR or IPv6 prefix blocks used by resources in your on-premises network, with routing determined by the CPE device policies.
     Note
     
     See Encryption domains for policy-based tunnels for limitations on how many IPv4 CIDR or IPv6 prefix blocks can be used.
   • Oracle Cloud: You can provide multiple IPv4 CIDR or IPv6 prefix blocks used by resources in your VCN.
     Note
     
     See Encryption domains for policy-based tunnels for limitations on how many IPv4 CIDR or IPv6 prefix blocks can be used.
   • Inside Tunnel Interface - CPE (optional): You can provide an IP address with subnet mask (either /30 or /31) for the CPE end of the tunnel for the purposes of tunnel troubleshooting or monitoring. For example: 10.0.0.16/31. The IP address must be part of one of Site-to-Site VPN's encryption domains.
   • Inside Tunnel Interface - Oracle (optional): You can provide an IP address with subnet mask (either /30 or /31) for the Oracle end of the tunnel for the purposes of tunnel troubleshooting or monitoring. For example: 10.0.0.17/31. The IP address must be part of one of Site-to-Site VPN's encryption domains.

7. On the Tunnel 2 tab (optional):

   • Tunnel Name: Enter a descriptive name for the tunnel. It doesn't have to be unique, and you can change it later. Avoid entering confidential information.
   • Provide custom shared secret (optional): By default, Oracle provides the shared secret for the tunnel. If you want to provide it instead, select this checkbox and enter the shared secret. You can change the shared secret later.
   • IKE Version: The Internet Key Exchange (IKE) version to use for this tunnel. Only select IKEv2 if your CPE supports it. You must also then configure the CPE to use only IKEv2 for this tunnel.
   • Routing Type: Select the radio button for Policy-based routing.
   • On-premises: You can provide multiple IPv4 CIDR or IPv6 prefix blocks used by resources in your on-premises network, with routing determined by the CPE device policies.
     Note
     
     See Encryption domains for policy-based tunnels for limitations.
   • Oracle Cloud: You can provide multiple IPv4 CIDR or IPv6 prefix blocks used by resources in your VCN.
     Note
     
     See Encryption domains for policy-based tunnels for limitations.
   • Inside Tunnel Interface - CPE (optional): You can provide an IP address with subnet mask (either /30 or /31) for the CPE end of the tunnel for the purposes of tunnel troubleshooting or monitoring. For example: 10.0.0.16/31. The IP address must be part of one of Site-to-Site VPN's encryption domains.
   • Inside Tunnel Interface - Oracle (optional): You can provide an IP address with subnet mask (either /30 or /31) for the Oracle end of the tunnel for the purposes of tunnel troubleshooting or monitoring. For example: 10.0.0.17/31. The IP address must be part of one of Site-to-Site VPN's encryption domains.
8. Tags: Leave as is. You can add tags later if you want. For more information, see Resource Tags.

9. Click Create IPSec Connection.

   The IPSec connection is created and displayed on the page. It will be in the Provisioning state for a short period.

   The displayed tunnel information includes:

   • The Oracle VPN IP address (for the Oracle VPN headend).
   • The tunnel's IPSec status (possible values are Up, Down, and Down for Maintenance). At this point, the status is Down. Your network engineer still must configure your CPE device.

   To view the tunnel's shared secret, click the tunnel to view its details, and then click Show next to Shared Secret.

10. Copy the Oracle VPN IP address and shared secret for each of the tunnels to an email or other location, then deliver it to the network engineer who configures the CPE device.

    You can view this tunnel information here in the Console at any time.

You have now created all the components required for Site-to-Site VPN. Next, your network engineer must configure the CPE device before network traffic can flow between your on-premises network and VCN.

For more information, see CPE Configuration.