-------------------------------------------------------------------------------------------------------------------------------------------------------------- # Configuration Template # The configuration consists of two IPSec tunnels. Oracle highly recommends that you configure both tunnels for maximum redundancy. -------------------------------------------------------------------------------------------------------------------------------------------------------------- # The configuration template involves setting up the following: # PHASE 1 # PHASE 2 # SETTING THE SECURITY ZONES FOR ORACLE # SETTING THE SECURITY POLICIES FOR ORACLE # SETTING THE SECURITY SETTING FOR ORACLE # SETTING BGP/STATIC ROUTING -------------------------------------------------------------------------------------------------------------------------------------------------------------- # The configuration template has various parameters that you must define before applying the configuration. # Search in the template for the keyword "USER_DEFINED" to find those parameters. -------------------------------------------------------------------------------------------------------------------------------------------------------------- # PARAMETERS REFERENCED: # oracle_headend_1 = Oracle public IP endpoint obtained from the Oracle Console. # oracle_headend_2 = Oracle public IP endpoint obtained from the Oracle Console. # connection_presharedkey_1 = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. # connection_presharedkey_2 = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. # outside_public_interface = The public interface or outside of tunnel interface which is configured with the CPE public IP address. Example: ge-0/0/1.0 # cpe_public_ip_address = The internet-routable IP address that is assigned to the public interface on the CPE. You provide this when creating the CPE object in the Oracle Console. # inside_tunnel_interface = The internal-facing interface for the on-premises network behind the SRX that needs to reach the Oracle VCN. Example: ge-0/0/0.0 # inside_tunnel_interface_ip_address = The IP addresses for the CPE and Oracle ends of the inside tunnel interface. You provide these when creating the IPSec connection in the Oracle Console. # inside_tunnel_interface_ip_address_neighbor = The neighbor IP address between tbe SRX and Oracle end points of the inside tunnel interface. # internal_network_ip_range = Internal on-premise network behind the SRX that needs to reach resources in the Oracle VCN. # bgp_asn = Your ASN # vcn_range = VCN IP Range -------------------------------------------------------------------------------------------------------------------------------------------------------------- # IPSec Tunnel 1 # #1: Internet Key Exchange (IKE) Configuration (Phase 1) # Defining the IKE Proposal for Oracle # This IKE (Phase 1) configuration template uses AES256, SHA384, Diffie-Hellman Group 5, and 28800 second (8 hours) IKE session key lifetime. # If different parameters are required, modify this template before applying the configuration. set security ike proposal oracle-ike-proposal authentication-method pre-shared-keys set security ike proposal oracle-ike-proposal authentication-algorithm sha-384 set security ike proposal oracle-ike-proposal encryption-algorithm aes-256-cbc set security ike proposal oracle-ike-proposal lifetime-seconds 28800 set security ike proposal oracle-ike-proposal dh-group group5 # Defining the IKE Policy for Oracle # USER_DEFINED: Replace the parameters in the section below as needed set security ike policy ike_pol_oracle-vpn- mode main set security ike policy ike_pol_oracle-vpn- proposals oracle-ike-proposal set security ike policy ike_pol_oracle-vpn- pre-shared-key ascii-text # Setting up Public Interface with the CPE Public IP. # USER_DEFINED: Replace the parameters in the section below as needed set interfaces unit 0 family inet address # Defining the IKE Gateway for Oracle # USER_DEFINED: Replace the parameters in the section below as needed. # This option enables IPsec Dead Peer Detection, which causes periodic messages to be sent to ensure a Security Association remains operational. # If you want to use IKEv1 instead, comment out the line below that ends with "version v2-only". set security ike gateway gw_oracle- ike-policy ike_pol_oracle-vpn- set security ike gateway gw_oracle- external-interface set security ike gateway gw_oracle- address set security ike gateway gw_oracle- dead-peer-detection set security ike gateway gw_oracle- version v2-only set security ike gateway gw_oracle- local-identity inet # #2: IPSec Configuration # Defining the IPSec (Phase 2) Proposal for Oracle # The IPSec proposal defines the protocol, authentication, encryption, and lifetime parameters for the IPsec security association. # The configuration template sets AES256 for encryption, SHA1 for authentication, enables PFS group 5, and sets the IPSec session key lifetime to 3600 seconds (1 hour). # The IPsec policy incorporates the Diffie-Hellman group and the IPsec proposal. # If different parameters are required, modify this template before applying the configuration. set security ipsec vpn-monitor-options set security ipsec proposal oracle-ipsec-proposal protocol esp set security ipsec proposal oracle-ipsec-proposal authentication-algorithm hmac-sha1-96; set security ipsec proposal oracle-ipsec-proposal encryption-algorithm aes-256-cbc set security ipsec proposal oracle-ipsec-proposal lifetime-seconds 3600 # Defining the IPSec (PHASE 2) policy for Oracle set security ipsec policy ipsec_pol_oracle-vpn perfect-forward-secrecy keys group5 set security ipsec policy ipsec_pol_oracle-vpn proposals oracle-ipsec-proposal # Defining Security Association for Oracle # USER_DEFINED: Replace the parameters in the section below as needed # The IPsec Policy and IKE gateways are associated with a tunnel interface (st0.1). If other tunnels are defined on your router, you must specify a unique interface name (for example, st0.2). # The df-bit clear option allows the SRX to fragment the packet and send it to the end host in Oracle Cloud Infrastructure to reassemble the packet. set security ipsec vpn oracle-vpn- bind-interface st0.1 set security ipsec vpn oracle-vpn- vpn-monitor set security ipsec vpn oracle-vpn- ike gateway gw_oracle- set security ipsec vpn oracle-vpn- ike ipsec-policy ipsec_pol_oracle-vpn set security ipsec vpn oracle-vpn- df-bit clear set security ipsec vpn establish-tunnels immediately # #3: Tunnel Interface Configuration # Defining the Tunnel Interface # USER_DEFINED: Replace the parameters in the section below as needed set interfaces st0.1 family inet address set interfaces st0.1 family inet mtu 1430 set interfaces unit 0 family inet address # Setting the Security Zones for Oracle # USER_DEFINED: Replace the parameters in the section below as needed # Tunnel interface st0.1, inside_tunnel_interface and outside_public_interface are each defined in it's own security zones. set security zones security-zone oracle_vpn interfaces st0.1 set security zones security-zone oracle_trust interfaces set security zones security-zone internet_untrust interfaces # The security zone protecting outside interface of the router must be configured to allow IKE and ping inbound traffic. set security zones security-zone internet_untrust interfaces host-inbound-traffic system-services ike set security zones security-zone internet_untrust interfaces host-inbound-traffic system-services ping # The security zone protecting the logical tunnel interface must be configured to allow BGP inbound traffic. set security zones security-zone oracle_vpn interfaces st0.1 host-inbound-traffic protocols bgp # This option causes the router to reduce the Maximum Segment Size of TCP packets to prevent packet fragmentation. set security flow tcp-mss ipsec-vpn mss 1387 # #4: Policies # Setting the Security Policies for Oracle # Policies basically define the permitted flow of traffic between defined security zones. # The configuration template permits any IPv4 traffic sourced and destined between security zones oracle_trust and oracle_vpn. set security policies from-zone oracle_trust to-zone oracle_vpn policy vpn-out match source-address any-ipv4 set security policies from-zone oracle_trust to-zone oracle_vpn policy vpn-out match destination-address any-ipv4 set security policies from-zone oracle_trust to-zone oracle_vpn policy vpn-out match application any set security policies from-zone oracle_trust to-zone oracle_vpn policy vpn-out match source-identity any set security policies from-zone oracle_trust to-zone oracle_vpn policy vpn-out then permit # #5a: Border Gateway Protocol (BGP) Configuration # USER_DEFINED: Replace the parameters in the section below as needed # BGP is used within the tunnel to exchange prefixes between the Dynamic Routing Gateway and your CPE. The DRG dynamically learns the routes from your on-premises network. On the Oracle side, the DRG advertises the VCN's subnets. # The configuration template uses a basic route policy to advertise a default route to the DRG. # To advertise additional prefixes to the Oracle VCN, add additional prefixes to the term ORACLE-DEFAULT policy. Make sure the prefix is present in the routing table of the device with a valid next-hop. # You configure the local BGP Autonomous System Number (BGP ASN) when you set up the IPSec connection in the Oracle Console. If you later need to change the ASN, you must recreate the CPE object and IPSec connection in the Oracle Console. set policy-options policy-statement ORACLE-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement ORACLE-DEFAULT term default then accept set policy-options policy-statement ORACLE-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor export ORACLE-DEFAULT set protocols bgp group ebgp neighbor peer-as 31898 set protocols bgp group ebgp neighbor local-as # #5b: Static Route Configuration # USER_DEFINED: Replace the parameters in the section below as needed # In case you plan to use static routing to get traffic through the IPSec tunnels, you can point the routes down to the tunnel interfaces. You should redistribute these routes into your on-premises network. Configuration for CPE to VCN static routes: set routing-options static route next-hop st0.1 -------------------------------------------------------------------------------------------------------------------------------------------------------------- # IPSec Tunnel 2 # #1: Internet Key Exchange (IKE) Configuration (Phase 1) # Defining the IKE Proposal for Oracle # This IKE (Phase 1) configuration template uses AES256, SHA384, Diffie-Hellman Group 5, and 28800 second (8 hours) IKE session key lifetime. # If different parameters are required, modify this template before applying the configuration. set security ike proposal oracle-ike-proposal authentication-method pre-shared-keys set security ike proposal oracle-ike-proposal authentication-algorithm sha-384 set security ike proposal oracle-ike-proposal encryption-algorithm aes-256-cbc set security ike proposal oracle-ike-proposal lifetime-seconds 28800 set security ike proposal oracle-ike-proposal dh-group group5 # Defining the IKE Policy for Oracle # USER_DEFINED: Replace the parameters in the section below as needed set security ike policy ike_pol_oracle-vpn- mode main set security ike policy ike_pol_oracle-vpn- proposals oracle-ike-proposal set security ike policy ike_pol_oracle-vpn- pre-shared-key ascii-text # Setting up Public Interface with the CPE Public IP. # USER_DEFINED: Replace the parameters in the section below as needed set interfaces unit 0 family inet address # Defining the IKE Gateway for Oracle # USER_DEFINED: Replace the parameters in the section below as needed. # This option enables IPsec Dead Peer Detection, which causes periodic messages to be sent to ensure a Security Association remains operational. # If you want to use IKEv1 instead, comment out the line below that ends with "version v2-only". set security ike gateway gw_oracle- ike-policy ike_pol_oracle-vpn- set security ike gateway gw_oracle- external-interface set security ike gateway gw_oracle- address set security ike gateway gw_oracle- dead-peer-detection set security ike gateway gw_oracle- version v2-only set security ike gateway gw_oracle- local-identity inet # #2: IPSec Configuration # Defining the IPSec (Phase 2) Proposal for Oracle # The IPSec proposal defines the protocol, authentication, encryption, and lifetime parameters for the IPsec security association. # The configuration template sets AES256 for encryption, SHA1 for authentication, enables PFS group 5, and sets the IPSec session key lifetime to 3600 seconds (1 hour). # The IPsec policy incorporates the Diffie-Hellman group and the IPsec proposal. # If different parameters are required, modify this template before applying the configuration. set security ipsec vpn-monitor-options set security ipsec proposal oracle-ipsec-proposal protocol esp set security ipsec proposal oracle-ipsec-proposal authentication-algorithm hmac-sha1-96; set security ipsec proposal oracle-ipsec-proposal encryption-algorithm aes-256-cbc set security ipsec proposal oracle-ipsec-proposal lifetime-seconds 3600 # Defining the IPSec (PHASE 2) policy for Oracle set security ipsec policy ipsec_pol_oracle-vpn perfect-forward-secrecy keys group5 set security ipsec policy ipsec_pol_oracle-vpn proposals oracle-ipsec-proposal # Defining Security Association for Oracle # USER_DEFINED: Replace the parameters in the section below as needed # The IPsec Policy and IKE gateways are associated with a tunnel interface (st0.2). If other tunnels are defined on your router, you must specify a unique interface name. # The df-bit clear option allows the SRX to fragment the packet and send it to the end host in Oracle Cloud Infrastructure to reassemble the packet. set security ipsec vpn oracle-vpn- bind-interface st0.2 set security ipsec vpn oracle-vpn- vpn-monitor set security ipsec vpn oracle-vpn- ike gateway gw_oracle- set security ipsec vpn oracle-vpn- ike ipsec-policy ipsec_pol_oracle-vpn set security ipsec vpn oracle-vpn- df-bit clear set security ipsec vpn establish-tunnels immediately # #3: Tunnel Interface Configuration # Defining the Tunnel Interface # USER_DEFINED: Replace the parameters in the section below as needed set interfaces st0.2 family inet address set interfaces st0.2 family inet mtu 1430 set interfaces unit 0 family inet address # Setting the Security Zones for Oracle # USER_DEFINED: Replace the parameters in the section below as needed # Tunnel interface st0.2, inside_tunnel_interface and outside_public_interface are each defined in it's own security zones. set security zones security-zone oracle_vpn interfaces st0.2 set security zones security-zone oracle_trust interfaces set security zones security-zone internet_untrust interfaces # The security zone protecting outside interface of the router must be configured to allow IKE and ping inbound traffic. set security zones security-zone internet_untrust interfaces host-inbound-traffic system-services ike set security zones security-zone internet_untrust interfaces host-inbound-traffic system-services ping # The security zone protecting the logical tunnel interface must be configured to allow BGP inbound traffic. set security zones security-zone oracle_vpn interfaces st0.2 host-inbound-traffic protocols bgp # This option causes the router to reduce the Maximum Segment Size of TCP packets to prevent packet fragmentation. set security flow tcp-mss ipsec-vpn mss 1387 # #4: Policies # Setting the Security Policies for Oracle # Policies basically define the permitted flow of traffic between defined security zones. # The configuration template permits any IPv4 traffic sourced and destined between security zones oracle_trust and oracle_vpn. set security policies from-zone oracle_trust to-zone oracle_vpn policy vpn-out match source-address any-ipv4 set security policies from-zone oracle_trust to-zone oracle_vpn policy vpn-out match destination-address any-ipv4 set security policies from-zone oracle_trust to-zone oracle_vpn policy vpn-out match application any set security policies from-zone oracle_trust to-zone oracle_vpn policy vpn-out match source-identity any set security policies from-zone oracle_trust to-zone oracle_vpn policy vpn-out then permit # #5a: Border Gateway Protocol (BGP) Configuration # USER_DEFINED: Replace the parameters in the section below as needed # BGP is used within the tunnel to exchange prefixes between the dynamic routing gateway and your CPE. The DRG dynamically learns the routes from your on-premises network. On the Oracle side, the DRG advertises the VCN's subnets. # THe configuration templates uses a basic route policy to advertise a default route to the DRG. # To advertise additional prefixes to the Oracle VCN, add additional prefixes to the term ORACLE-DEFAULT policy. Make sure the prefix is present in the routing table of the device with a valid next-hop. # You configure the local BGP Autonomous System Number (BGP ASN) when you set up the IPSec connection in the Oracle Console. If you later need to change the ASN, you must recreate the CPE object and IPSec connection in the Oracle Console. set policy-options policy-statement ORACLE-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement ORACLE-DEFAULT term default then accept set policy-options policy-statement ORACLE-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor export ORACLE-DEFAULT set protocols bgp group ebgp neighbor peer-as 31898 set protocols bgp group ebgp neighbor local-as # #5b: Static Route Configuration # USER_DEFINED: Replace the parameters in the section below as needed # In case you plan to use static routing to get traffic through the IPSec tunnels, you can point the routes down to the tunnel interfaces. You should redistribute these routes into your on-premises network. Configuration for CPE to VCN static routes: set routing-options static route next-hop st0.2