Oracle Cloud Infrastructure Documentation

Check Point

This section includes two different sets of instructions: for domain-based tunnel configuration and VPN tunnel interface (VTI) configuration.

This configuration was validated using a Check Point 2200.


Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Supported Encryption Domain or Proxy ID

The values for the encryption domain (also known as a proxy ID, security parameter index (SPI), or traffic selector) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct encryption domain values to use, see Supported Encryption Domain or Proxy ID.

Parameters from API or Console

Get the following parameters from the Oracle Cloud Infrastructure Console or API.


  • Oracle VPN headend IPSec tunnel endpoints. There is one value for each tunnel.
  • Example value:


  • The IPSec IKE pre-shared-key. There is one value for each tunnel.
  • Example value: EXAMPLEDPfAMkD7nTH3SWr6OFabdT6exXn6enSlsKbE

Additional Configuration Parameters

The Check Point config requires the following additional variables:


  • The name of the Interface where the CPE's public IP address is configured.
  • Example Value: eth1


  • When creating the VCN, your company selected this CIDR to represent the IP aggregate network for all VCN hosts.
  • Example Value:

${VcnCidrNetwork} and ${VcnCidrNetmask}

  • These are the base address and netmask for the ${VcnCidrBlock}
  • For more information, see: Wikipedia reference for finding CidrNetmask
  • Values based on the example ${VcnCidrBlock} shown above:
    • ${VcnCidrNetwork}:
    • ${VcnCidrNetmask}:

Config Template Parameter Summary

Each region has multiple Oracle IPSec headends. The template below will allow setting up multiple tunnels on your CPE, each to a corresponding headend. In the table below, "User" is you/your company.

Parameter Source Example Value
${ipAddress1} Console/API
${sharedSecret1} Console/API (long string)
${ipAddress2} Console/API
${sharedSecret2} Console/API (long string)
${cpePublicInterface} User eth1
${VcnCidrNetwork} User
${VcnCidrNetmask} User


The following ISAKMP and IPSec policy parameter values are applicable to VPN Connect in the commercial cloud. For the Government Cloud, you must use the values listed in Required VPN Connect Parameters for the Government Cloud.

ISAKMP Policy Options

IPSec Policy Options

Domain-Based Tunnel Configuration
VPN Tunnel Interface (VTI) Configuration