!------------------------------------------------------------------------------------------------------------------------------------------------------------- ! IKEv2 Configuration Template ! The configuration consists of two IPSec tunnels. Oracle highly recommends that you configure both tunnels for maximum redundancy. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! The configuration template involves setting up the following: ! Keyring (Pre-Shared Key) ! IKEv2 and IPSec Policy Configuration ! IPSec Peers ! Virtual Tunnel Interfaces ! IP Routing (BGP or Static) ! Update Any Internet Facing Access List to Allow IPSec and ISAKMP Packets !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! The configuration template has various parameters that you must define before applying the configuration. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! PARAMETERS REFERENCED: ! ${OracleInsideTunnelIpAddress1} = Inside tunnel IP address of Oracle-side for the first tunnel. You provide these values when creating the IPSec connection in the Oracle Console. ! ${OracleInsideTunnelIpAddress2} = Inside tunnel IP address of Oracle-side for the second tunnel. You provide these values when creating the IPSec connection in the Oracle Console. ! ${bgpASN} = Your BGP ASN ! ${cpePublicIpAddress} = The public IP address for the CPE. This is the IP address of your outside interface ! ${oracleHeadend1} = Oracle public IP endpoint obtained from the Oracle Console. ! ${oracleHeadend2} = Oracle public IP endpoint obtained from the Oracle Console. ! ${sharedSecret1} = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. ! ${sharedSecret2} = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. ! ${outsideInterface} = The public interface or outside of tunnel interface which is configured with the CPE public IP address. ! ${vcnCidrNetwork} = VCN IP range ! ${vcnCidrNetmask} = Subnet mask for VCN ! ${onPremCidrNetwork} = On-premises IP range ! ${onPremCidrNetmask} = ON-premises subnet mask !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! Keyring (Pre-Shared Key) ! For authentication during IKE a separate keyring is defined for each Oracle VPN Headend peer. ! Add the pre-shared key for each Oracle VPN headend under the corresponding keyring. crypto ikev2 keyring oracle-vpn-${oracleHeadend1} peer oracle_vpn address ${oracleHeadend1} pre-shared-key local ${sharedSecret1} pre-shared-key remote ${sharedSecret1} crypto ikev2 keyring oracle-vpn-${oracleHeadend2} peer oracle_vpn address ${oracleHeadend2} pre-shared-key local ${sharedSecret2} pre-shared-key remote ${sharedSecret2} ! Optional IPSec settings are included here. ! All optional settings included are recommended by Oracle. Remove or comment out any unneeded commands prior to applying this configuration. ! WARNING: These settings are global and may impact other IPSec connections ! The Router will clear the DF-bit in the IP header. Allows the packet to be fragmented and sen to the end host in Oracle Cloud Infrastructure for reassembly. crypto ipsec df-bit clear ! Increases security association anti-replay window. An increased window size is helpful for scenarios where packets are regularly being dropped due to delays. crypto ipsec security-association replay window-size 128 ! IKEv2 and IPSec Policy Configuration ! An IKEv2 proposal is created and specifies use of a Pre-Shared Key, AES256, SHA384, and Diffie-Hellman Group 5. ! If different parameters are required, modify this template before applying the configuration. crypto ikev2 proposal oracle_v2_proposal encryption aes-cbc-256 integrity sha384 group 5 crypto ikev2 policy oracle_v2_policy proposal oracle_v2_proposal ! Create an IPSec transform set named 'oracle-vpn-transform' which defines a combination of IPSec (Phase 2) policy options. Specifically, AES256 for encryption and SHA1 for authentication. This is also where tunnel mode is set for IPSec. ! If different parameters are required, modify this template before applying the configuration. crypto ipsec transform-set oracle-vpn-transform esp-aes 256 esp-sha-hmac mode tunnel ! An IPSec profile named 'oracle_v2_ipsec_profile_tunnel#' is created for each tunnel. ! The previously created transform set is added to this policy along with settings for enabling PFS Group 5 and the security association lifetime to 3600 seconds (1 hour). ! If different parameters are required, modify this template before applying the configuration. crypto ipsec profile oracle_v2_ipsec_profile_tunnel1 set ikev2-profile oracle_v2_profile_tunnel1 set pfs group5 set security-association lifetime seconds 3600 set transform-set oracle-vpn-transform crypto ipsec profile oracle_v2_ipsec_profile_tunnel2 set ikev2-profile oracle_v2_profile_tunnel2 set pfs group5 set security-association lifetime seconds 3600 set transform-set oracle-vpn-transform ! IPSec Peers ! Two IKEv2 profiles are created for each Oracle VPN Headend. crypto ikev2 profile oracle-vpn-${oracleHeadend1} keyring oracle-vpn-${oracleHeadend1} identity local address ${cpePublicIpAddress} match identity remote address ${oracleHeadend1} 255.255.255.255 authentication remote pre-share authentication local pre-share crypto ikev2 profile oracle-vpn-${oracleHeadend2} keyring oracle-vpn-${oracleHeadend2} identity local address ${cpePublicIpAddress} match identity remote address ${oracleHeadend2} 255.255.255.255 authentication remote pre-share authentication local pre-share ! Virtual Tunnel Interfaces ! Each tunnel interface is a logical interface representing the local end of a VPN tunnel to a remote VPN peer. Each tunnel interface represents a single tunnel to a different Oracle VPN Headend. The IP address of each VPN headend is provided when you create your IPSec connection in Oracle Console. ! All traffic routed to a tunnel interface will be encrypted and sent across the tunnel towards Oracle Cloud Infrastructure. ! Each tunnel interface configuration also references the previously created IPSec profile 'oracle-vpn' for its IPSec parameters. ! WARNING: When doing static routing you do NOT have to set IPs on the tunnel interfaces unless you have pre-configured inside tunnel interfaces in Oracle Console when creating your IPSec connection. Inside tunnel interfaces are required if using BGP. interface Tunnel${tunnelNumber1} ip address ${cpeInsideTunnelIpAddress1} ${cpeInsideTunnelNetmask1} tunnel source ${cpePublicIpAddress} tunnel mode ipsec ipv4 tunnel destination ${oracleHeadend1} tunnel protection ipsec profile oracle_v2_ipsec_profile_tunnel1 interface Tunnel${tunnelNumber2} ip address ${cpeInsideTunnelIpAddress2} ${cpeInsideTunnelNetmask2} tunnel source ${cpePublicIpAddress} tunnel mode ipsec ipv4 tunnel destination ${oracleHeadend2} tunnel protection ipsec profile oracle_v2_ipsec_profile_tunnel2 ! IP Routing ! Pick either dynamic (BGP) or static routing. Uncomment the corresponding commands prior to applying configuration. ! Border Gateway Protocol (BGP) Configuration ! Uncomment below lines if you want to use BGP. ! router bgp ${bgpASN} ! neighbor ${OracleInsideTunnelIpAddress1} remote-as 31898 ! neighbor ${OracleInsideTunnelIpAddress2} remote-as 31898 ! network ${onPremCidrNetwork} mask ${onPremCidrNetmask} ! Static Route Configuration ! Uncomment below lines if you want to use static routing. ! ip route ${vcnCidrNetwork} ${vcnCidrNetmask} Tunnel${tunnelNumber1} ! ip route ${vcnCidrNetwork} ${vcnCidrNetmask} Tunnel${tunnelNumber2} ! Update Any Internet Facing Access List to Allow IPSec and ISAKMP Packets ! You may need to allow IPSec and ISAKMP packets out your internet facing interface. ! Uncomment below lines to create a new ACL allowing IPSec and ISAKMP traffic and apply it to the outside interface. ! ip access-list extended INTERNET-INGRESS ! permit udp host ${oracleHeadend1} host ${cpePublicIpAddress} eq isakmp ! permit esp host ${oracleHeadend1} host ${cpePublicIpAddress} ! permit udp host ${oracleHeadend2} host ${cpePublicIpAddress} eq isakmp ! permit esp host ${oracleHeadend2} host ${cpePublicIpAddress} ! permit icmp any any echo ! permit icmp any any echo-reply ! permit icmp any any unreachable ! interface ${outsideInterface} ! ip address ${cpePublicIpAddress} $(netmask} ! ip access-group INTERNET-INGRESS in