!------------------------------------------------------------------------------------------------------------------------------------------------------------- ! IKEv2 Configuration Template ! The configuration consists of a single IPSec tunnel. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! The configuration template involves setting up the following: ! Access Lists ! IKEv2 Policy ! Base VPN Policy ! IPSec Configuration ! IPSec Tunnel Group Configuration ! IP Routing (Static) ! Optional: Disable NAT for VPN Traffic !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! The configuration template has various parameters that you must define before applying the configuration. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! PARAMETERS REFERENCED: ! ${OracleInsideTunnelIpAddress1} = Inside tunnel IP address of Oracle-side for the first tunnel. You provide these values when creating the IPSec connection in the Oracle Console. ! ${cpePublicIpAddress} = The public IP address for the CPE. This is the IP address of your outside interface ! ${outboundAclName} = ACL used to control traffic out of your inside and outside interfaces ! ${oracleHeadend1} = Oracle public IP endpoint obtained from the Oracle Console. ! ${sharedSecret1} = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. ! ${outsideInterface} = The public interface or outside of tunnel interface which is configured with the CPE public IP address. ! ${vcnCidrNetwork} = VCN IP range ! ${vcnCidrNetmask} = Subnet mask for VCN ! ${onPremCidrNetwork} = On-premises IP range ! ${onPremCidrNetmask} = ON-premises subnet mask ! ${cryptoMapAclName} = Name of ACL which will be associated with the IPSec security association. ! ${vcnHostIp} = IP address of a VCN host. Used for IP SLA continuous ping to maintain tunnel UP state. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! Access Lists ! Permit Traffic Between Your ASA and Your Oracle VCN ! Assuming there is an access-list controlling traffic in and out of your Internet facing interface, you will need to permit traffic between your CPE and the Oracle VPN Headend ! WARNING: The new ACL entry you add to permit the traffic between your ASA and VPN headend needs to be above any deny statements you might have in your existing access-list access-list ${outboundAclName} extended permit ip host ${oracleHeadend1} host ${cpePublicIpAddress} ! Crypto ACL ! Create an ACL named ${cryptoMapAclName} which will later be associated with the IPSec security association using the 'crypto-map' command. This will define which source/destination traffic needs to be encrypted and sent across the VPN tunnel. ! Keep this ACL to a single entry. In a policy based configuration each ACL line will establish a separate encryption domain. ! The single encryption domain used in this configuration sample will have a source/destination of any/VCN CIDR. Refer to the 'Encryption domain for policy-based tunnels' subsection for supported alternatives. access-list ${cryptoMapAclName} extended permit ip any ${vcnCidrNetwork} ${vcnCidrNetmask} ! IKEv2 Policy ! IKEv2 is enabled on the outside interface. ! IKEv2 policy is created and specifies use of a Pre-Shared Key, AES256, SHA1, Diffie-Hellman Group 5, and a lifetime of 28800 seconds (8 hours). ! If different parameters are required, modify this template before applying the configuration. ! WARNING: The IKEv2 group policy is created with a priority of 10. Make sure this doesn't conflict with any pre-existing configuration on your ASA. crypto ikev2 enable outside crypto ikev2 policy 10 encryption aes-256 integrity sha384 group 5 prf sha lifetime seconds 28800 ! Base VPN Policy ! An internal VPN group policy named 'oracle-vcn-vpn-policy' is created to define some basic VPN tunnel settings ! Idle and session timeouts are disabled to maintain the tunnel UP state and tunnel protocol is set to IKEv2 group-policy oracle-vcn-vpn-policy internal group-policy oracle-vcn-vpn-policy attributes vpn-idle-timeout none vpn-session-timeout none vpn-tunnel-protocol ikev2 ! IPSec Configuration ! Create an IKEv2 IPSec proposal named 'oracle_v2_ipsec_proposal' which defines AES256 for encryption and SHA1 for authentication. ! If different parameters are required, modify this template before applying the configuration. crypto ipsec ikev2 ipsec-proposal oracle_v2_ipsec_proposal protocol esp encryption aes-256 protocol esp integrity sha-1 ! A crypto map is used to tie together the important traffic that needs encryption (via crypto map ACL) with defined security policies (from the IPSec proposal along with other crypto map statements), and the destination of the traffic to a specific crypto peer. ! In this configuration example, a single crypto map is created named 'oracle-vpn-map-v2' This crypto map references the previously created crypto map ACL, the 'oracle_v2_ipsec_proposal' IPSec proposal and further defines PFS Group 5 and the security association lifetime to 3600 seconds (1 hour). ! WARNING: Make sure your crypto map name and sequence numbers do not overlap with existing crypto maps. ! WARNING: DO NOT use the 'originate-only' option with an Oracle IPSec VPN tunnel. It causes the tunnel's traffic to be inconsistently blackholed. The command is only for tunnels between two Cisco devices. Here's an example of the command that you should NOT use for the Oracle IPSec VPN tunnels: crypto map <map name> <sequence number> set connection-type originate-only crypto map oracle-vpn-map-v2 1 match address ${cryptoMapAclName} crypto map oracle-vpn-map-v2 1 set pfs group5 crypto map oracle-vpn-map-v2 1 set peer ${oracleHeadend1} crypto map oracle-vpn-map-v2 1 set ikev2 ipsec-proposal oracle_v2_ipsec_proposal crypto map oracle-vpn-map-v2 1 set security-association lifetime seconds 3600 ! WARNING: The below command will apply the 'oracle-vpn-map-v2' crypto map to the outside interface. The Cisco ASA supports a single crypto map per interface. Make sure no other crypto map is applied to the outside interface before using this command. crypto map oracle-vpn-map-v2 interface outside ! IPSec Tunnel Group Configuration ! This configuration matches the group policy 'oracle-vcn-vpn-policy' with an Oracle VPN headend endpoint. ! The pre-shared key for each Oracle VPN headend is defined in the corresponding tunnel group. tunnel-group ${oracleHeadend1} type ipsec-l2l tunnel-group ${oracleHeadend1} general-attributes default-group-policy oracle-vcn-vpn-policy tunnel-group ${oracleHeadend1} ipsec-attributes ikev2 local-authentication pre-shared-key ${sharedSecret1} ikev2 remote-authentication pre-shared-key ${sharedSecret1} ! IP SLA Configuration ! The Cisco ASA doesn't establish a tunnel if there's no interesting traffic trying to pass through the tunnel. ! You must configure IP SLA on your device for a continuous ping so that the tunnel remains up at all times. ! You must allow ICMP on the outside interface. ! Make sure that the SLA monitor number used is unique. sla monitor 1 type echo protocol ipIcmpEcho ${vcnHostIp} interface outside frequency 5 sla monitor schedule 1 life forever start-time now icmp permit any ${outsideInterface} ! IP Routing ! Static Route Configuration route outside ${VcnCidrNetwork} ${VcnCidrNetmask} ${OracleInsideTunnelIpAddress1} ! Disable NAT for VPN Traffic ! If you are using NAT for traffic between your inside and outside interfaces, you might need to disable NAT for traffic between your on-premises network and the Oracle VCN. ! Two objects are created for this NAT exemption. 'obj-OnPrem' represents the on-premises network as a default route, and 'obj-oracle-vcn-1' represents the VCN CIDR block used in Oracle Cloud Infrastructure. ! If different address ranges are required, modify this template before applying the configuration. ! object network obj-onprem ! subnet 0.0.0.0 0.0.0.0 ! object network obj-oracle-vcn-1 ! subnet ${vcnCidrNetwork} ${vcnCidrNetmask} ! nat (inside,outside) source static obj-onprem obj-onprem destination static obj-oracle-vcn-1 obj-oracle-vcn-1