!------------------------------------------------------------------------------------------------------------------------------------------------------------ ! IKEv1 Configuration Template ! The configuration consists of two IPSec tunnels. Oracle highly recommends that you configure both tunnels for maximum redundancy. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! The configuration template involves setting up the following: ! Configure ISAKMPv1 and IPSec Policies ! Configure Keepalive Setting of ICMP ! Configure Virtual Tunnel Interfaces ! IP Routing (BGP or Static) !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! The configuration template has various parameters that you must define before applying the configuration. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! PARAMETERS REFERENCED: ! ${OracleHeadendIpAddress1} = Oracle public IP endpoint obtained from the Oracle Console. ! ${OracleHeadendIpAddress2} = Oracle public IP endpoint obtained from the Oracle Console. ! ${sharedSecret1} = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. ! ${sharedSecret2} = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. ! ${cpePublicIpAddress} = The public IP address for the CPE. This is the IP address of your outside interface. ! ${vcnCidrBlock} = VCN CIDR block. For example, 10.0.0.0/20. ! ${tunnelInterfaceNumber1} = The number of your tunnel interface for the first tunnel. For example, 1. ! ${tunnelInterfaceNumber2} = The number of your tunnel interface for the second tunnel. For example, 2. ! ${ikePolicy1} = The name of your IKE Policy. For example, ike-policy1. ! ${ikePolicy2} = The name of your IKE Policy. For example, ike-policy2. ! ${ipsecPolicy1} = The name of your IPSec Policy. For example, ipsec-policy1. ! ${ipsecPolicy2} = The name of your IPSec Policy. For example, ipsec-policy2. ! ${lanInterfaceNumber} = The number of your LAN interface. For example, 1.0. ! ${lanIpAddress} = The IP address of the LAN interface for your CPE. ! ${OracleInsideTunnelIpAddress1} = Inside tunnel IP address of Oracle-side for the first tunnel. You provide these values when creating the IPSec connection in the Oracle Console. ! ${OracleInsideTunnelIpAddress2} = Inside tunnel IP address of Oracle-side for the second tunnel. You provide these values when creating the IPSec connection in the Oracle Console. ! ${cpeInsideTunnelIpAddress1} = The CPE's inside tunnel IP for the first tunnel. ! ${cpeInsideTunnelIpAddress2} = The CPE's inside tunnel IP for the second tunnel. ! ${bgpASN} = Your BGP ASN. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! Configure ISAKMPv1 and IPSec Policies ip access-list sec-list permit ip src any dest any ike nat-traversal ike proposal ike-prop encryption aes-256 hash sha2-256 group 1536-bit ike policy ${ikePolicy1} peer ${OracleHeadendIpAddress1} key ${sharedSecret1} ike-prop ike policy ${ikePolicy2} peer ${OracleHeadendIpAddress2} key ${sharedSecret2} ike-prop ipsec autokey-proposal ipsec-prop esp-aes-256 esp-sha lifetime time 3600 ipsec autokey-map ${ipsecPolicy1} sec-list peer ${OracleHeadendIpAddress1} ipsec-prop pfs 1536-bit ipsec autokey-map ${ipsecPolicy2} sec-list peer ${OracleHeadendIpAddress2} ipsec-prop pfs 1536-bit ! Configure Keepalive Setting of ICMP watch-group watch_tunnel1 10 event 20 ip unreach-host ${lanIpAddress} Tunnel${tunnelInterfaceNumber1} source GigaEthernet${lanInterfaceNumber} action 10 ip shutdown-route ${vcnCidrBlock} Tunnel${tunnelInterfaceNumber1} action 20 ipsec clear-sa Tunnel${tunnelInterfaceNumber1} network-monitor watch_tunnel1 enable watch-group watch_tunnel2 10 event 20 ip unreach-host ${lanIpAddress} Tunnel${tunnelInterfaceNumber2} source GigaEthernet${lanInterfaceNumber} action 10 ip shutdown-route ${vcnCidrBlock} Tunnel${tunnelInterfaceNumber2} action 20 ipsec clear-sa Tunnel${tunnelInterfaceNumber2} network-monitor watch_tunnel2 enable ! Configure Virtual Tunnel Interfaces interface Tunnel${tunnelInterfaceNumber1} tunnel mode ipsec ip address ${cpeInsideTunnelIpAddress1} ip tcp adjust-mss auto ipsec policy tunnel ipsec-policy1 out no shutdown interface Tunnel${tunnelInterfaceNumber2} tunnel mode ipsec ip address ${cpeInsideTunnelIpAddress2} ip tcp adjust-mss auto ipsec policy tunnel ipsec-policy2 out no shutdown ! IP Routing ! Select dynamic (BGP) or static routing. Uncomment the corresponding commands prior to applying configuration. ! Border Gateway Protocol (BGP) Configuration ! Uncomment below lines if you select BGP. ! ip ufs-cache enable cache ! route-map pri1 permit 10 ! set metric 5 ! set local-preference 200 ! route-map pri2 permit 10 ! set metric 10 ! set local-preference 150 ! router bgp ${bgpASN} ! neighbor ${OracleInsideTunnelIpAddress1} remote-as 31898 ! neighbor ${OracleInsideTunnelIpAddress1} timers 10 30 ! neighbor ${OracleInsideTunnelIpAddress2} remote-as 31898 ! neighbor ${OracleInsideTunnelIpAddress2} timers 10 30 ! address-family ipv4 unicast ! neighbor ${OracleInsideTunnelIpAddress1} route-map pri1 in ! neighbor ${OracleInsideTunnelIpAddress1} route-map pri1 out ! neighbor ${OracleInsideTunnelIpAddress2} route-map pri2 in ! neighbor ${OracleInsideTunnelIpAddress2} route-map pri2 out ! network 192.168.100.0/24 ! Static Route Configuration ! Uncomment below lines if you select static routing. ! ip ufs-cache enable ! ip route ${vcnCidrBlock} Tunnel0.0 ! ip route ${vcnCidrBlock} Tunnel1.0